Skip to content

Allow unquoted account ids in IAM Policies #6662

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
alextwoods wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Allow unquoted account ids in IAM Policies #6662

alextwoods wants to merge 4 commits into from

Conversation

@alextwoods
Copy link
Contributor

@alextwoods alextwoods commented Jan 7, 2026
edited
Loading

Allow unquoted AWS account ids in IAM Policies

Motivation and Context

IAM Policies with unquoted (numeric) AWS account ids are considered valid by IAM and work as intended, however, our existing IAM Policy reader/validation considers these invalid. Additionally, IAM considers unquoted boolean values in conditions as valid, but these are also rejected by the current SDK validation.

Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html

Modifications

  • Allow unquoted accountIds and booleans in limited contexts.

This PR loosens validations in limited contexts where either unquoted accountIDs or booleans may appear and be valid - these are limited to Principals and Conditions only. Principals may have unquoted accountIds and Conditions may have unquoted account ids and booleans.

Note that although AWS account ids may have leading zeros, IAM will reject Policy Documents with unquoted account ids with leading zeros - these are invalid JSON and are not supported - server side validation rejects these. Policy documents with these will still be considered invalid by the SDK reader.

Testing

New and existing unit tests.

Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING document
  • Local run of mvn install succeeds
  • My code follows the code style of this project
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.

License

  • I confirm that this pull request can be released under the Apache 2 license

@alextwoods alextwoods changed the title Alexwoo/fix iam policy validation Allow unquoted account ids in IAM Policies Jan 7, 2026
@alextwoods alextwoods marked this pull request as ready for review January 7, 2026 17:14
@alextwoods alextwoods requested a review from a team as a code owner January 7, 2026 17:14
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 7, 2026

Quality Gate Passed Quality Gate passed

Issues
8 New issues
0 Accepted issues

Measures
0 Security Hotspots
95.5% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alextwoods