Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-iam: Make setting trust on roles more clear in overview and function descriptions #22550

Open
sean-beath opened this issue Oct 18, 2022 · 2 comments
Open

aws-iam: Make setting trust on roles more clear in overview and function descriptions #22550

sean-beath opened this issue Oct 18, 2022 · 2 comments
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. documentation This is a problem with documentation. effort/small Small work item – less than a day of effort p1

Comments

@sean-beath
Copy link
Contributor

Describe the bug

When running the grant_assume_role on a role with a Service Principle as the input, the role's trust policy is not updated.

Expected Behavior

I expect the role's trust policy to be updated.

Current Behavior

Nothing happens. If I change the Service Principle in the function and run a cdk diff, there is no difference in deployment suggesting the function is not doing anything.

Reproduction Steps

In Python:

        # Create new IAM role for DMS access to Redshift
        dmsRedshiftRole = iam.Role(self, "dmsRedshiftRole",
            assumed_by=iam.ServicePrincipal(
                "dms.{}.amazonaws.com".format(self.region)),
            description="IAM role to be used by DMS for access to Redshift",
            managed_policies=[iam.ManagedPolicy.from_aws_managed_policy_name(
                "service-role/AmazonDMSRedshiftS3Role")],
        )

        # Allow DMS role to be assumed by Redshift.
        dmsRedshiftRole.grant_assume_role(iam.ServicePrincipal("redshift.amazonaws.com"))

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.43.1

Framework Version

No response

Node.js Version

8.5.4

OS

Mac Monterey 12.5

Language

Python

Language Version

3.9.14

Other information

No response
@sean-beath sean-beath added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 18, 2022
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Oct 18, 2022
@peterwoodworth
Copy link
Contributor

The grantAssumeRole function is a bit misleading here in that it isn't updating the trust policy of the role but rather granting the principal passed in to this action sts:AssumeRole permission. This ends up not doing anything because the principal here is a service who doesn't need to be granted this action, but rather needs to be in the trust policy.

To modify the trust policy after it's been created, you will want to access the PolicyDocument on Role.assumeRolePolicy

I think we should clarify this in the readme. I'm going to repurpose this issue as a docs issue

@peterwoodworth peterwoodworth added p1 effort/small Small work item – less than a day of effort documentation This is a problem with documentation. and removed bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 18, 2022
@peterwoodworth peterwoodworth changed the title aws-iam: grant_assume_role function does not work aws-iam: Make setting trust on roles more clear in overview and function descriptions Oct 18, 2022
@sean-beath
Copy link
Contributor Author

The grantAssumeRole function is a bit misleading here in that it isn't updating the trust policy of the role but rather granting the principal passed in to this action sts:AssumeRole permission. This ends up not doing anything because the principal here is a service who doesn't need to be granted this action, but rather needs to be in the trust policy.

To modify the trust policy after it's been created, you will want to access the PolicyDocument on Role.assumeRolePolicy

I think we should clarify this in the readme. I'm going to repurpose this issue as a docs issue

Thanks for explaining :)

@peterwoodworth peterwoodworth mentioned this issue Nov 28, 2022
Closed
@aradyaron aradyaron mentioned this issue Dec 27, 2022
Closed
2 tasks
@pahud pahud mentioned this issue Mar 8, 2023
Closed
@peterwoodworth peterwoodworth added the bug This issue is a bug. label May 2, 2023
@peterwoodworth peterwoodworth removed their assignment May 15, 2023
@DavidLawes DavidLawes mentioned this issue Oct 12, 2023
Closed
1 task
stm29 added a commit to stm29/aws-cdk that referenced this issue Aug 17, 2024
@stm29
fix(aws-iam): Adding addPrincipalsToAssumedBy() to allow adding more …
7e0658e 
…principals to TrustRelationship of Role to overcome limitation of grantAssumeRole() (aws#22550)
@stm29 stm29 mentioned this issue Aug 17, 2024
Closed
1 task
@github-actions github-actions bot mentioned this issue Aug 19, 2024
Closed
@github-actions github-actions bot mentioned this issue Sep 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. documentation This is a problem with documentation. effort/small Small work item – less than a day of effort p1
Projects
None yet
Milestone
No milestone
3 participants
@rix0rrr @peterwoodworth @sean-beath