Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Unable to build multi-principal Policy with Role

See original GitHub issue

I am trying to create a role with the following policy document:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "${aws_iam_role.eks_nodes.arn}",
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

The problem, however, is that the Role construct only takes a single entity for assumedBy.

const defaultPodRole = new iam.Role(this, "default-pod-role", {
        roleName: "default",
        path: "/pods/",
        assumedBy: new iam.ServicePrincipal("ec2.amazonaws.com"),
      })

I tried pulling out the assumeRolePolicy but its statements member is private, and that would involve digging around in the statements array anyway.

export declare class PolicyDocument extends Token {
    private readonly baseDocument?;
    private statements;

This workaround produces a role/policy/trust setup that collapses to the same interpretation, but the resulting document is not the same.

    const role = new iam.Role(this, 'Role', {
      assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
    });
    if ( role.assumeRolePolicy ) {
      role.assumeRolePolicy.addStatement(new iam.PolicyStatement().
        addAccountRootPrincipal().
        addAction('sts:AssumeRole'));
    }

The resulting document is this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456123456:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Issue Analytics

State:
Created 5 years ago
Reactions:6
Comments:14 (6 by maintainers)

Top GitHub Comments

28reactions

alastairmccormackcommented, Oct 9, 2019

According to https://github.com/aws/aws-cdk/pull/1377, the way to do this is by using a CompositePrincipal object. (Surely changing Role.assumed_by to accept a list or adding a new method to Role would’ve been more obvious).

E.g. In Python:

pipeline_role = aws_iam.Role(
    scope=self, id=f'pipeline-role',
    role_name='pipeline',
    assumed_by=aws_iam.CompositePrincipal(
        aws_iam.ServicePrincipal('datapipeline.amazonaws.com'),
        aws_iam.ServicePrincipal('elasticmapreduce.amazonaws.com')
    )
)

4reactions

ajhoolcommented, Jan 28, 2021

Node example for a lambda@edge

    const someLambdaRole = new Role(this, 'someLambdaRole', {
      assumedBy: new CompositePrincipal(new ServicePrincipal("lambda"), new ServicePrincipal("edgelambda"))
    })

Top Results From Across the Web

Resolve the IAM error "Failed to update trust policy. Invalid ...

If the IAM role trust policy uses an IAM identities (users, user groups, and roles) as principals, confirm that the user or role...

Manage access to projects, folders, and organizations

Grant a single role; Revoke a single role. Grant or revoke multiple roles. Get the current allow policy; Modify the allow policy; Set...

Ultrafast Cylindrical Vector Beams for Improved Energy ... - MDPI

The use of ultrafast cylindrical vector vortex beams in laser–matter interactions permits new ablation features to be harnessed from inhomogeneous ...

Create an IAM Role and Policy on AWS! - YouTube

Learn how to use AWS Identity and Access Management (IAM) to create a new role and policy !You manage access in AWS by...

Policies and permissions in IAM - Amazon Identity and Access ...

A permissions boundary can set the maximum permissions for a user or role that is used to create a session. In that case,...