(iam): composite principal not synthesizing correctly
See original GitHub issueWhat is the problem?
behavior as of v2.4 (or maybe v2.5)- instead of composite principals synthesizing to a list, a separate statement is made for each. this can result in overflow of quota for the max number of trust principals policy length with enough principals.
Reproduction Steps
iam.Role(
self,
id="role_id",
assumed_by=iam.CompositePrincipal(
iam.ArnPrincipal #1,
iam.ArnPrincipal #2,
iam.ArnPrincipal #3,
),
max_session_duration=1,
role_name="MyCompositeTrust"
)
What did you expect to happen?
trust policy look like this:
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {"AWS": [iam.ArnPrincipal #1, iam.ArnPrincipal #2, iam.ArnPrincipal #3]}
}
What actually happened?
trust policy looks like this:
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {"AWS": iam.ArnPrincipal #1}
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {"AWS": iam.ArnPrincipal #2}
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {"AWS": iam.ArnPrincipal #3}
}
CDK CLI Version
2.10.0 (build e5b301f)
Framework Version
No response
Node.js Version
v14.17.1
OS
Mac 12.0.1
Language
Python
Language Version
Python 3.9.9
Other information
since there is a fairly low quota on the max statements in a trust policy, this breaks very easily with a decent amount of trust principals.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:9 (4 by maintainers)
Top Results From Across the Web
class CompositePrincipal · AWS CDK
Represents a principal that has multiple types of principals. A composite principal cannot have conditions. i.e. multiple ServicePrincipals that form a ...
Read more >awslabs/aws-cdk - Gitter
Components of a CompositePrincipal must not have conditions. Tried to add the following ... What is the correct way to achieve a policy...
Read more >The Structuring of Organizations - Henry Mintzberg.
was a feat; that they got typed quickly and accurately is a tribute to ... Preface, this book is not a review of...
Read more >National Reading Panel - Teaching Children to Read - NICHD
apparent that the Panel could not respond properly to its charge within that time constraint. Permission was sought and received to postpone the...
Read more >Massachusetts Mathematics Curriculum Framework — 2017
I am pleased to present to you the Massachusetts Curriculum Framework for ... be correct, even though they are not generalized or made...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Hey @juweeks 👋🏻 Thanks for reporting this.
We’re aware of the shortcomings in policy generation and are working hard to resolve this.
Related: #18167 #18293 #16350 #18457
This is indeed a change that’s coming from a code change we recently released. It will not cause any difference in behavior though, the two policy document forms are equivalent. Your principal is not lost, it’s just somewhere else.