aws-iam: spillover customer managed policy tag support #31343
Labels
@aws-cdk/aws-iam
Related to AWS Identity and Access Management
effort/medium
Medium work item – several days of effort
feature-request
A feature should be added or improved.
p2
Comments
This was referenced Sep 9, 2024
|
Thank you for bringing it up. Off the top of my head, I guess this would need CFN's support. Please help us prioritize with 👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature
IAM inline policy includes spillover for inline IAM policies that exceed maximum length. Spillover creates overflow policies of type customer managed. Result is main inline policy is tagged, but overflow customer managed policy is not. Add tag propagation support for spillover policy.
Use Case
Resource created without tag propagation affect downstream pipeline validation rules being used in cloudformation guard
Proposed Solution
No response
Other Information
No response
Acknowledgements
CDK version used
latest
Environment details (OS name and version, etc.)
All
Sample CDK code snippet which generates overflow
` iam_role = aws_iam.Role(
self,
'IamRole',
role_name = 'Quality_Assurance',
max_session_duration = Duration.hours(12),
assumed_by = aws_iam.FederatedPrincipal(
f'arn:aws:iam::{self.account}:saml-provider/AzureAD',
{ 'StringEquals': { 'SAML:aud': 'https://signin.aws.amazon.com/saml' } },
'sts:AssumeRoleWithSAML'
)
)
Then we have a bunch of statements like the following to add permissions.
iam_role.add_to_policy(aws_iam.PolicyStatement(
actions = [
'dynamodb:*Item',
'dynamodb:Query',
'dynamodb:Scan'
],
resources = [
f'arn:aws:dynamodb:{self.region}:{self.account}:table/made-up-name-1',
f'arn:aws:dynamodb:{self.region}:{self.account}:table/made-up-name-2',
f'arn:aws:dynamodb:{self.region}:{self.account}:table/made-up-name-3,
f'arn:aws:dynamodb:{self.region}:{self.account}:table/made-up-name-4'
]
))
`
The text was updated successfully, but these errors were encountered: