Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(iam): composite principal not synthesizing correctly

See original GitHub issue

What is the problem?

behavior as of v2.4 (or maybe v2.5)- instead of composite principals synthesizing to a list, a separate statement is made for each. this can result in overflow of quota for the max ~~number of trust principals~~ policy length with enough principals.

Reproduction Steps

iam.Role(
      self,
      id="role_id",
      assumed_by=iam.CompositePrincipal(
          iam.ArnPrincipal #1,
          iam.ArnPrincipal #2,
          iam.ArnPrincipal #3,
      ),
      max_session_duration=1,
      role_name="MyCompositeTrust"
)

What did you expect to happen?

trust policy look like this:

{
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Principal": {"AWS": [iam.ArnPrincipal #1, iam.ArnPrincipal #2, iam.ArnPrincipal #3]}
}

What actually happened?

trust policy looks like this:

{
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Principal": {"AWS": iam.ArnPrincipal #1}
},
{
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Principal": {"AWS": iam.ArnPrincipal #2}
},
{
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Principal": {"AWS": iam.ArnPrincipal #3}
}

CDK CLI Version

2.10.0 (build e5b301f)

Framework Version

No response

Node.js Version

v14.17.1

OS

Mac 12.0.1

Language

Python

Language Version

Python 3.9.9

Other information

since there is a fairly low quota on the max statements in a trust policy, this breaks very easily with a decent amount of trust principals.

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:9 (4 by maintainers)

Top GitHub Comments

4reactions

ryparkercommented, Feb 1, 2022

Hey @juweeks 👋🏻 Thanks for reporting this.

We’re aware of the shortcomings in policy generation and are working hard to resolve this.

Related: #18167 #18293 #16350 #18457

1reaction

rix0rrrcommented, Feb 23, 2022

This is indeed a change that’s coming from a code change we recently released. It will not cause any difference in behavior though, the two policy document forms are equivalent. Your principal is not lost, it’s just somewhere else.

Top Results From Across the Web

class CompositePrincipal · AWS CDK

Represents a principal that has multiple types of principals. A composite principal cannot have conditions. i.e. multiple ServicePrincipals that form a ...

awslabs/aws-cdk - Gitter

Components of a CompositePrincipal must not have conditions. Tried to add the following ... What is the correct way to achieve a policy...

The Structuring of Organizations - Henry Mintzberg.

was a feat; that they got typed quickly and accurately is a tribute to ... Preface, this book is not a review of...

National Reading Panel - Teaching Children to Read - NICHD

apparent that the Panel could not respond properly to its charge within that time constraint. Permission was sought and received to postpone the...

Massachusetts Mathematics Curriculum Framework — 2017

I am pleased to present to you the Massachusetts Curriculum Framework for ... be correct, even though they are not generalized or made...