Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

aws-iam: Allow `string | string[]` in FederatedPrincipal assumeRoleAction

See original GitHub issue

Allow string | string[] in FederatedPrincipal.

This is required when using cognito with principal tag mapping.

Use Case

AWS has a brief video explaining the use case here: https://www.youtube.com/watch?v=tAUmz94O2Qo

The use case is that, if a cognito user from a user pool is authenticated, then their claims can be forwarded to the policy document to allow for fine-grained access control e.g.

    /**
     * Policy that enables a tenant to access their entire org's data
     */
    const tenantPolicy = new PolicyStatement({
      sid: "AllowPrecedingKeysToDynamoDBOrganisation",
      effect: Effect.ALLOW,
      actions: [
        "dynamodb:GetItem",
        "dynamodb:Query"
      ],
      resources: [
        table.tableArn
      ],
      conditions: {
        "ForAllValues:StringLike": {
          "dynamodb:LeadingKeys": [
            "${aws:PrincipalTag/org}#*"
          ]
        }
      },
    })

In order to support deploying FederatedPrincipal policies via @aws-cdk/aws-iam which use sts:TagSession and sts:AssumeRoleWithWebIdentity currently this work around is required:

    const role = new iam.Role(this, "IdentityPoolAuthRole", {
      assumedBy: new iam.FederatedPrincipal(
        "cognito-identity.amazonaws.com",
        {
          StringEquals: {
            "cognito-identity.amazonaws.com:aud": identityPool.ref,
          },
          "ForAnyValue:StringLike": {
            "cognito-identity.amazonaws.com:amr": "authenticated",
          },
        },
        // @ts-ignore
        [
          "sts:AssumeRoleWithWebIdentity",
          "sts:TagSession"
        ] as string
      ),
    });

The underlying base principal supports having the this.assumeRoleAction set as a string array, but the allowed types have been restricted on the child class

https://github.com/aws/aws-cdk/blob/fdce08cee6f0eb58aad93572641a1dd4b59e8d37/packages/%40aws-cdk/aws-iam/lib/principals.ts#L426-L442

Proposed Solution

https://github.com/aws/aws-cdk/blob/fdce08cee6f0eb58aad93572641a1dd4b59e8d37/packages/%40aws-cdk/aws-iam/lib/principals.ts#L427

Is update to

public readonly assumeRoleAction: string | string[];

Other

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:6 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
simonireillycommented, Nov 14, 2021

@simonireilly Any ETA on the PR and release that fixes this issue? We currently need this functionality in our project and are using the workaround proposed here

PR is open, awaiting comments: https://github.com/aws/aws-cdk/pull/16725

It’s a fix, but not ideal. I think the other option is to rewrite entire IPrincipal to take a string[] instead of string in assume role action and publish under a feature flag.

Awaiting comments for @rix0rrr

0reactions
Dachmiancommented, Dec 16, 2021

Much obliged🙌

Read more comments on GitHub >

github_iconTop Results From Across the Web

class FederatedPrincipal · AWS CDK - AWS Documentation
assumeRoleAction. Type: string. When this Principal is used in an AssumeRole policy, the action to use. conditions.
Read more >
FederatedPrincipal with multiples Actions - Stack Overflow
The IPrincipal requires assumeRoleAction to be a string. But what you need is an array. It looks like it's been put on-hold because...
Read more >
awsiam - Go Packages
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Read more >
IAM Principal Examples in AWS CDK - Complete Guide
import * as iam from 'aws-cdk-lib/aws-iam'; import * as cdk from 'aws-cdk-lib'; ... FederatedPrincipal( 'cognito-identity.amazonaws.com', { StringEquals: ...
Read more >
aws-cdk.aws-iam · PyPI
Many of the AWS CDK resources have grant* methods that allow you to grant other ... Principal objects include principal type (string) and...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

(aws-ec2): Why are NAT gateways required for private subnets?

Next page

CloudFormationStack.template : Cannot read existing template