-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(aws-iam): (importedRoleStackSafeDefaultPolicyName Feature flag generates Policy names that are over 128 characters) #24441
Comments
Thank you for your report. I guess we probably need to trim the policy name with cdk.Names.UniqueResourceName() with maxLength property specified. Making this a p2 bug and any PR submission would be appreciated! |
Closing as duplicate of #27409 |
|
… in excessively long IAM policy names (#27548) When the importedRoleStackSafeDefaultPolicyName feature flag is enabled, the method to calculate the IAM Policy Name within `aws_iam.ImportedRole.addToPrincipalPolicy()` changes. Specifically, if the generated IAM Policy Name exceeds the maximum allowed length of 128 characters, it will be truncated using `Names.uniqueResourceName()`. Previously, the `Names.UniqueId()` method was used to generate the Policy Name. This method does not allow you to set a maximum length, so if the name exceeded the limit, it would be overwritten using `Names.uniqueResourceName()`—a function that allows for length specification. I considered replacing `Names.UniqueId()` entirely with `Names.uniqueResourceName()`. However, this is on hold due to concerns that existing Policy Names could be affected. If a complete replacement poses no issues, your guidance is appreciated, as I'm not fully versed in the logic behind these methods. Closes #27409 , #24441 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… in excessively long IAM policy names (aws#27548) When the importedRoleStackSafeDefaultPolicyName feature flag is enabled, the method to calculate the IAM Policy Name within `aws_iam.ImportedRole.addToPrincipalPolicy()` changes. Specifically, if the generated IAM Policy Name exceeds the maximum allowed length of 128 characters, it will be truncated using `Names.uniqueResourceName()`. Previously, the `Names.UniqueId()` method was used to generate the Policy Name. This method does not allow you to set a maximum length, so if the name exceeded the limit, it would be overwritten using `Names.uniqueResourceName()`—a function that allows for length specification. I considered replacing `Names.UniqueId()` entirely with `Names.uniqueResourceName()`. However, this is on hold due to concerns that existing Policy Names could be affected. If a complete replacement poses no issues, your guidance is appreciated, as I'm not fully versed in the logic behind these methods. Closes aws#27409 , aws#24441 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Describe the bug
I am using the CrossZoneDelegation construct to delegate between 2 hosted Zones that are in different accounts. When I use the importedRoleStackSafeDefaultPolicyName feature flag the policy names that are generated that contain the path are targer than 128 characters which causes the stack to fail to deploy.
Expected Behavior
The policy names need to be trimmed to fit within 128 characters when using this feature flag.
Current Behavior
Adding the full construct path to the policy can lead to the polices becoming too to large.
Reproduction Steps
Possible Solution
Additional Information/Context
No response
CDK CLI Version
2.66.0
Framework Version
No response
Node.js Version
16
OS
Amazon Linux 2
Language
Typescript
Language Version
4.9.5
Other information
No response
The text was updated successfully, but these errors were encountered: