PolicyPrincipal assumeRoleAction should support multiple actions #2041
Comments
|
Still relevant. |
|
So I submitted a PR months ago and it was rejected due to L2 construct attribute rules. Without modifying that attribute, I'm uncertain how this would be achieved. Any tips would be helpful. Some ideas:
Would I need to modify any L1 classes or attributes? |
|
So I was looking at the CompositePrincipal class and it's still limited because it inherits from PrincipalBase where the assumeRoleAction is a string type. Wouldn't accepting an array for the action type allow multiple actions on a single principal and at least close this issue out? I'm trying to catch up on how all of these objects interact with the synthesizer (how they actually get translated into json cloudformation) as well, so if you could direct me to where that takes place I can read up on the code. I'm digging through the repo now. |
|
still relevant |
To allow session tagging, the `sts:TagSession` permission needs to be added to the role's AssumeRolePolicyDocument. Introduce a new principal which enables this, and add a convenience method `.withSessionTags()` to the `PrincipalBase` class so all built-in principals will have this convenience method by default. To build this, we had to get rid of some cruft and assumptions around policy documents and statements, and defer more power to the `IPrincipal` objects themselves. In order not to break existing implementors, introduce a new interface `IAssumeRolePrincipal` which knows how to add itself to an AssumeRolePolicyDocument and gets complete freedom doing so. That same new interface could be used to lift some old limitations on `CompositePrincipal` so did that as well. Fixes #15908, closes #16725, fixes #2041, fixes #1578.
To allow session tagging, the `sts:TagSession` permission needs to be added to the role's AssumeRolePolicyDocument. Introduce a new principal which enables this, and add a convenience method `.withSessionTags()` to the `PrincipalBase` class so all built-in principals will have this convenience method by default. To build this, we had to get rid of some cruft and assumptions around policy documents and statements, and defer more power to the `IPrincipal` objects themselves. In order not to break existing implementors, introduce a new interface `IAssumeRolePrincipal` which knows how to add itself to an AssumeRolePolicyDocument and gets complete freedom doing so. That same new interface could be used to lift some old limitations on `CompositePrincipal` so did that as well. Fixes #15908, closes #16725, fixes #2041, fixes #1578. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
To allow session tagging, the `sts:TagSession` permission needs to be added to the role's AssumeRolePolicyDocument. Introduce a new principal which enables this, and add a convenience method `.withSessionTags()` to the `PrincipalBase` class so all built-in principals will have this convenience method by default. To build this, we had to get rid of some cruft and assumptions around policy documents and statements, and defer more power to the `IPrincipal` objects themselves. In order not to break existing implementors, introduce a new interface `IAssumeRolePrincipal` which knows how to add itself to an AssumeRolePolicyDocument and gets complete freedom doing so. That same new interface could be used to lift some old limitations on `CompositePrincipal` so did that as well. Fixes aws#15908, closes aws#16725, fixes aws#2041, fixes aws#1578. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
currently, assumeRoleAction for PolicyPrincipals in the iam package doesn't support multiple actions and is defined as a string. Some orgs require assumeRole and assumeRoleWithSAML and this currently isn't possible. This type should support
string | Array<string>The text was updated successfully, but these errors were encountered: