@aws-cdk/aws-iam: ServicePrincipal generates an invalid principal in policy, MalformedPolicyDocument
See original GitHub issueWhat is the problem?
While creating a role with a principal, the default region is used (the region from the stack) or a specified region. That generates a regional principal endpoint, which looks like is not the case for SSM and other services I suppose. That makes the CloudFormation process fail, stating that is an invalid IAM principal in the policy.
I’m open this in the @aws-cdk/aws-iam, where I found the issue, but maybe this is a CloudFormation or incompatibility?
Reproduction Steps
const lambdaRole = new iam.Role(this.scope, 'MyRole', {
assumedBy: new iam.ServicePrincipal('ssm.amazonaws.com'),
roleName: 'my-role',
});
Generated CloudFormation:
{
"MyRoleA6F33B68": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::Join": [
"",
[
"ssm.",
{
"Ref": "AWS::Region"
},
".amazonaws.com"
]
]
}
}
}
],
"Version": "2012-10-17"
}
}
}
}
What did you expect to happen?
Successful deployment with cdk deploy
What actually happened?
cdk deploy
UPDATE_FAILED | Invalid principal in policy: “SERVICE”:“ssm.eu-west-1.amazonaws.com” (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 5763050d-c789-49ef-b7d7-9e80a62f0e9e; Proxy: null) |
---|
CDK CLI Version
1.133.0
Framework Version
No response
Node.js Version
v14.15.4
OS
MacOs Monterey 12.0.1 (21A559)
Language
Typescript
Language Version
Typescript (4.5.2)
Other information
There is a workaround for that:
const lambdaRole = new iam.Role(this.scope, 'MyRole', {
assumedBy: new iam.ServicePrincipal('ssm.amazonaws.com'),
roleName: 'my-role',
});
const lambdaRoleAsCfn = lambdaRole.node.defaultChild as iam.CfnRole;
// Workaround: Invalid principal in policy: "SERVICE":"ssm.eu-west-1.amazonaws.com" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument;
// eslint-disable-next-line max-len
lambdaRoleAsCfn.addOverride('Properties.AssumeRolePolicyDocument.Statement.0.Principal.Service', 'ssm.amazonaws.com');
With this, the deployment works.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:5
- Comments:8 (2 by maintainers)
Top Results From Across the Web
Invalid principal in policy: MalformedPolicyDocument
I am getting the below error for my code in spite of the existence of roles mentioned. AssumeRolePolicyDocument: Version: '2012-10-17' Statement ...
Read more >MalformedPolicyDocument: Invalid principal in policy: "AWS ...
I completely removed the role and tried to create it from scratch. This resulted in the same error message. Then I tried to...
Read more >Resolve "Invalid principal in policy" error in Amazon S3
I'm trying to add or edit the bucket policy of my Amazon Simple Storage Service (Amazon S3) bucket using the console. However, I'm...
Read more >Resolve the IAM error "Failed to update trust policy. Invalid ...
If the IAM role trust policy uses an IAM identities (users, user groups, and roles) as principals, confirm that the user or role...
Read more >Cross Account Resource Access - Invalid Principal in Policy
I tried a lot of combinations and never got it working. The Assume-Role Solution. The last approach is to create an IAM role...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I couldn’t use the region-info override in Python either.
I could have been doing it totally wrong, but I couldn’t figure out how to create an object that implemented the
IFACT
protocol, so I created my own class (doco and passed in an object from that class instead. This passed syntax checks but but didn’t work.In the end I used an escape hatch which looks ugly but works.
This worked for me: