Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-iam): Inconsistency in resource grant permissions when importing a role using fromRoleName() and fromRoleArn() #28363

Open
mrlikl opened this issue Dec 14, 2023 · 3 comments
Open

(aws-iam): Inconsistency in resource grant permissions when importing a role using fromRoleName() and fromRoleArn() #28363

mrlikl opened this issue Dec 14, 2023 · 3 comments
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@mrlikl
Copy link
Contributor

mrlikl commented Dec 14, 2023
edited
Loading

Describe the bug

The grant permissions are producing different synth outputs/missing permissions when using fromRoleName() vs fromRoleArn()

Example -

Bug behaviour

const s3KmsKey = new Key(this, 'TestDataBucketKey')
    const bucket = new s3.Bucket(this, 'TestDataBucket', {
      encryption: s3.BucketEncryption.KMS,
      encryptionKey: s3KmsKey
    })
const role_from_name = iam.Role.fromRoleName(this, 'CDKRole', 'cdk-role')
    s3KmsKey.grantEncryptDecrypt(role_from_name)
    bucket.grantReadWrite(role_from_name)

In the resultant template, the bucket policy and KMS key policy will be missing permissions for the role. But an IAM policy will be created and attached to the role.

Expected -

const s3KmsKey = new Key(this, 'TestDataBucketKey')
    const bucket = new s3.Bucket(this, 'TestDataBucket', {
      encryption: s3.BucketEncryption.KMS,
      encryptionKey: s3KmsKey
    })
   const role_from_arn = iam.Role.fromRoleArn(
      this,
      'CDKRole',
      'arn:aws:iam::xxxxxxxxxxx:role/cdk-role'
    )
s3KmsKey.grantEncryptDecrypt(role_from_arn)
bucket.grantReadWrite(role_from_arn)

In the above example, both s3 policy and KMS policy is updated with role permissions as well as an IAM policy will be created and attached to the role.

Expected Behavior

When using fromRoleName(), resource policy as well as IAM policy be updated/modified.

Current Behavior

Resource policy is missing when using fromRoleName()

Reproduction Steps

In Description

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.114.1

Framework Version

No response

Node.js Version

18.18.2

OS

macos

Language

TypeScript

Language Version

No response

Other information

No response
@mrlikl mrlikl added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 14, 2023
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Dec 14, 2023
@pahud
Copy link
Contributor

pahud commented Dec 14, 2023

In the resultant template, the bucket policy and KMS key policy will be missing permissions for the role. But an IAM policy will be created and attached to the role.

I can't find any missing permissions.

Can you share more details in your CFN template on which permissions are mssing?

@pahud pahud added p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Dec 14, 2023
@mrlikl
Copy link
Contributor Author

mrlikl commented Dec 14, 2023
edited
Loading

@pahud , I have updated the replication code. When using fromRoleName(), the resultant will be

  1. There will be no KMS key policy for the imported role (Only default will be there for the root).
  2. No bucket policy resource will be present in template at all. When using fromRoleArn(), a bucket policy will be created with the imported role in it.
  3. In both the cases (fromRoleArn and fromRoleName) an IAM policy will be present with the imported role in it.

@mrlikl
Copy link
Contributor Author

mrlikl commented Dec 14, 2023

Is this because the imported role - using fromname is expected to be in the same account ?

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Dec 14, 2023
@github-actions github-actions bot mentioned this issue Jan 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @mrlikl