New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws-sns: Topic.grantPublish(...)
creates identity policy assuming grantee is local to aws account.
#29999
Comments
Hi @wbertore , Thanks for reaching out. It is highly suggested to use the latest CDK version. Neverthelss, Looks like with the latest cdk version 2.139 and with cdk 2.77, I am able to successfully synth and deploy the code with external user policy created .
This is the synth template which has the policy for the external user mentioned in the code -
Snippet for the successful deployment with CDK 2.77 - However I see some policy missing in the console, despite being successful. Diving deep to get to the root cause of what could be going wrong. |
This is because PoC export class DummyStack extends Stack {
constructor(scope: Construct, id: string, props: StackProps) {
super(scope, id, props);
const externalIamUser = 'arn:aws:iam::123456789012:user/OthersExternalIamUser';
const externalIamRole = 'arn:aws:iam::123456789012:role/OthersExternalIamUser';
const granteeUser = iam.User.fromUserArn(this, 'OthersExternalIamUser', externalIamUser)
const granteeRole = iam.Role.fromRoleArn(this, 'OthersExternalIamRole', externalIamRole)
new CfnOutput(this, 'principalAccountUser', { value: granteeUser.grantPrincipal.principalAccount! })
new CfnOutput(this, 'principalAccountRole', { value: granteeRole.grantPrincipal.principalAccount! })
}
} Outputs: see the different implementation between fromUserArn() and fromRoleArn(). We are getting the pricipal account with the Aws.ACCOUNT_ID which presumes always the same account and that is the root cause of this bug. Making this a p1 bug. |
By the way, it's generally not recommended using IAM user like that but IAM role is always recommended. While this is a bug we need to fix, is there any reason you have to use iam.User rather than iam.Role? |
### Issue # (if applicable) Closes #29999 ### Reason for this change As described in the issue [comment](#29999 (comment)). ### Description of changes ### Description of how you validated changes 1. added more unit tests. 2. added a new integ test 3. I have deployed this in my AWS account ```ts import { App, Stack, CfnParameter, aws_iam as iam, CfnOutput, } from 'aws-cdk-lib'; const app = new App(); const stack = new Stack(app, 'dummy-stack'); const userArn = 'arn:aws:iam::123456789012:user/OthersExternalIamUser'; const userparam = new CfnParameter(stack, 'UserParameter', { default: userArn, }); const imported = iam.User.fromUserArn(stack, 'imported-user', userArn); const imported2 = iam.User.fromUserArn(stack, 'imported-user2', userparam.valueAsString ); new CfnOutput(stack, 'User', { value: imported.principalAccount! }); new CfnOutput(stack, 'User2', { value: imported2.principalAccount! }); ``` And the output is correct: ``` Outputs: dummy-stack.User = 123456789012 dummy-stack.User2 = 123456789012 ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Describe the bug
When creating an external iam user such as with
User.fromArn(...)
and adding it to a topic resource policy withgrantPublish
, the underlying constructs will create an identity policy assuming the iam user exists already in the stack.This fails on cloudformation deployment.
Expected Behavior
It should create a resource policy on the SNS Topic and skip the identity policy if the grantee is from an external aws account.
Current Behavior
Topic.grantPublish, Grant.addToPrincipleOrResource, and User.addtoPrinciplePolicy will create a policy for the iam user, assuming it is part of the stack's aws account.
This fails on cloudformation deployment.
Reproduction Steps
Make a test app and stack:
synthesize the stack:
see cloudformation output:
Notice that CDK generates a Policy that references a user that doesn't exist in the cloudformation stack.
Possible Solution
Add intelligence to the grantPublish procedure or underlying calls in Grant or User to compare the stack aws account against the user aws account to skip the identity policy creation.
Additional Information/Context
I am using an internal version of cdk for my company and cannot upgrade to the latest due to company library dependencies. It's possible this is fixed in the latest version (but unlikely after reading the source code and revision history in aws-cdk).
CDK CLI Version
2.77.0
Framework Version
No response
Node.js Version
18
OS
MacOS Sonoma 14.4.1
Language
TypeScript
Language Version
5.0.4
Other information
No response
The text was updated successfully, but these errors were encountered: