-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to build multi-principal Policy with Role #1201
Comments
This is indeed a limitation. Technically we can provide an implementation of @ijcd can you share a bit more details about your use case? Why do you need this? |
Thanks @eamonnfaherty, exactly what I was after. |
Is there any progress in this issue? I do also need this feature to connect my API Gateway directly to an DynmoDB Table. 😥 |
@deen13 PR pending |
To be honest for the example I specified I would like to see that working via a construct. Generally, allowing a role to be assumed by two services is a sign that the author is breaking least privileged principle. |
@deen13 can you provide some reference to your use case please? |
https://github.com/eamonnfaherty Nevertheless, we rather not be opinionated in the low level IAM library. Higher level AWS constructs synthesize policies based on least privilege but if users want to define less restrictive policies for some reason they should be able to do that with the CDK. |
Fair enough. |
Relax constraint on IAM policy statement principals such that multiple principal types can be used in a statement. Also, the `CompositePrincipal` class can be use to construct `PolicyPrincipal`s that consist of multiple principal types (without conditions) Backfill missing addXxxPrincipal methods. Deprecate (soft) `Anyone` in favor of `AnyPrincipal`. Fixes #1201
According to #1377, the way to do this is by using a E.g. In Python:
|
@eladb Use case system manager automation document. Here the example provides ssm and ec2 service principals. It's also in the Systems Manager user guide. I also was only able to resolve this by searching and finding this Github issue. It would be easier if this was better documented in the docs itself for assumed_by in Role. |
Another example:
|
Node example for a lambda@edge
|
Hello 👋 Disclaimer: I stumbled over the following problem during working on one of our projects. During the
This was definitely unexpected, with locking on the synthesized code and the already deployed IAM policy it became clear that the AWS CDK produced trust relationship policy is valid but highly inefficient because it generated for each user a new policy statement! Example Code:
Of course, the AWS CDK code produces way more characters for producing the same result! There is no (at least I did not found any other) way to solve this issue with AWS CDK "tools". The only valid method to create an assumeBy policy statement with more than one principle is to use the iam.CompositePrincipal method which causes the above-mentioned behavior.
|
I am trying to create a role with the following policy document:
The problem, however, is that the Role construct only takes a single entity for
assumedBy
.I tried pulling out the
assumeRolePolicy
but itsstatements
member is private, and that would involve digging around in thestatements
array anyway.This workaround produces a role/policy/trust setup that collapses to the same interpretation, but the resulting document is not the same.
The resulting document is this:
The text was updated successfully, but these errors were encountered: