From 36fd79d8714bd29527bb1184ec10cd504b83510d Mon Sep 17 00:00:00 2001 From: Kip <134538209+kishiel@users.noreply.github.com> Date: Tue, 2 Apr 2024 16:16:18 -0500 Subject: [PATCH] fix(iam): grantAssumeRole silently fails with service and account principals (#29452) ### Issue #24507 ### Reason for this change grantAssumeRole silently fails if a Service Principal or Account Principal is used which led me to a false assumption about the correctness of a role's permission scope ### Description of changes This change will throw an error if a Service Principal is used. I was unable to find a way to accomplish the same behavior for Account Principals. Documentation was updated to help guide a user to the appropriate function usage for Service and Account Principals. ### Description of how you validated changes * Added a unit test * This change required me to re-run two unrelated snapshot tests which were throwing errors outside of the scope of this change. *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- ...efaultTestDeployAssert27007DC6.assets.json | 2 +- .../aws-cdk-iam-managed-policy.assets.json | 2 +- .../integ.managed-policy.js.snapshot/cdk.out | 2 +- .../integ.json | 2 +- .../manifest.json | 11 ++- .../tree.json | 76 +++++++-------- .../test/aws-iam/test/integ.managed-policy.ts | 1 + ...efaultTestDeployAssert274BB918.assets.json | 2 +- .../aws-cdk-iam-policy.assets.json | 6 +- .../aws-cdk-iam-policy.template.json | 28 ++++-- .../test/integ.policy.js.snapshot/cdk.out | 2 +- .../test/integ.policy.js.snapshot/integ.json | 2 +- .../integ.policy.js.snapshot/manifest.json | 12 ++- .../test/integ.policy.js.snapshot/tree.json | 94 +++++++++++++------ .../test/aws-iam/test/integ.policy.ts | 3 +- packages/aws-cdk-lib/aws-iam/README.md | 33 +++++++ packages/aws-cdk-lib/aws-iam/lib/role.ts | 6 +- .../aws-cdk-lib/aws-iam/test/role.test.ts | 32 ++++++- 18 files changed, 226 insertions(+), 90 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/ManagedPolicyIntegDefaultTestDeployAssert27007DC6.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/ManagedPolicyIntegDefaultTestDeployAssert27007DC6.assets.json index 8b1082c6e9e3e..7bd221a9030e9 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/ManagedPolicyIntegDefaultTestDeployAssert27007DC6.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/ManagedPolicyIntegDefaultTestDeployAssert27007DC6.assets.json @@ -1,5 +1,5 @@ { - "version": "34.0.0", + "version": "36.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/aws-cdk-iam-managed-policy.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/aws-cdk-iam-managed-policy.assets.json index e3634a40bb81e..a8d7c77ea7ee9 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/aws-cdk-iam-managed-policy.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/aws-cdk-iam-managed-policy.assets.json @@ -1,5 +1,5 @@ { - "version": "34.0.0", + "version": "36.0.0", "files": { "26f1836028ead2829dce663ff9f4b0c71fd9db149cb19a6c54ed9128e3e09120": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/cdk.out index 2313ab5436501..1f0068d32659a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"34.0.0"} \ No newline at end of file +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/integ.json index f9969fc9eec0c..16f5dbc2709ee 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "34.0.0", + "version": "36.0.0", "testCases": { "ManagedPolicyInteg/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/manifest.json index 002f00e8212b3..6f96e4a674236 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "34.0.0", + "version": "36.0.0", "artifacts": { "aws-cdk-iam-managed-policy.assets": { "type": "cdk:asset-manifest", @@ -69,6 +69,15 @@ "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } + ], + "MyUserDefaultPolicy7B897426": [ + { + "type": "aws:cdk:logicalId", + "data": "MyUserDefaultPolicy7B897426", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } ] }, "displayName": "aws-cdk-iam-managed-policy" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/tree.json index 09406ac7403d9..08230dd699706 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/tree.json @@ -38,14 +38,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnUser", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.User", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "OneManagedPolicy": { @@ -56,8 +56,8 @@ "id": "ImportedOneManagedPolicy", "path": "aws-cdk-iam-managed-policy/OneManagedPolicy/ImportedOneManagedPolicy", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -102,14 +102,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnManagedPolicy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.ManagedPolicy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "TwoManagedPolicy": { @@ -120,8 +120,8 @@ "id": "ImportedTwoManagedPolicy", "path": "aws-cdk-iam-managed-policy/TwoManagedPolicy/ImportedTwoManagedPolicy", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -155,14 +155,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnManagedPolicy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.ManagedPolicy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Role": { @@ -173,8 +173,8 @@ "id": "ImportRole", "path": "aws-cdk-iam-managed-policy/Role/ImportRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -213,44 +213,44 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "ImportedRole": { "id": "ImportedRole", "path": "aws-cdk-iam-managed-policy/ImportedRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "aws-cdk-iam-managed-policy/BootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "aws-cdk-iam-managed-policy/CheckBootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "ManagedPolicyInteg": { @@ -277,22 +277,22 @@ "id": "BootstrapVersion", "path": "ManagedPolicyInteg/DefaultTest/DeployAssert/BootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "ManagedPolicyInteg/DefaultTest/DeployAssert/CheckBootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, @@ -317,8 +317,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.ts index 09a466b8453b4..4633262a34cb7 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.ts @@ -25,6 +25,7 @@ user.addManagedPolicy(policy3); const role = new Role(stack, 'Role', { assumedBy: new AccountRootPrincipal() }); role.grantAssumeRole(policy.grantPrincipal); + Grant.addToPrincipal({ actions: ['iam:*'], resourceArns: [role.roleArn], grantee: policy2 }); policy.attachToRole(role); diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/PolicyIntegDefaultTestDeployAssert274BB918.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/PolicyIntegDefaultTestDeployAssert274BB918.assets.json index 1dea1009db69c..3466d1580639c 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/PolicyIntegDefaultTestDeployAssert274BB918.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/PolicyIntegDefaultTestDeployAssert274BB918.assets.json @@ -1,5 +1,5 @@ { - "version": "30.0.0", + "version": "36.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.assets.json index cafe95b93a4e6..1eb3b6a6cab5f 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.assets.json @@ -1,7 +1,7 @@ { - "version": "30.0.0", + "version": "36.0.0", "files": { - "d898a04332095cb0948a67a0182d64a7d0604bb19454a2ce9dcd09153e09bb59": { + "372105a2bc65630c0068c39309addd787e89ace7da989e014b511bd9d462be0a": { "source": { "path": "aws-cdk-iam-policy.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "d898a04332095cb0948a67a0182d64a7d0604bb19454a2ce9dcd09153e09bb59.json", + "objectKey": "372105a2bc65630c0068c39309addd787e89ace7da989e014b511bd9d462be0a.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.template.json index 39d726b0bea03..1621257587ce3 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.template.json @@ -3,16 +3,11 @@ "MyUserDC45028B": { "Type": "AWS::IAM::User" }, - "HelloPolicyD59007DF": { + "MyUserDefaultPolicy7B897426": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ - { - "Action": "sqs:SendMessage", - "Effect": "Allow", - "Resource": "*" - }, { "Action": "sts:AssumeRole", "Effect": "Allow", @@ -26,6 +21,27 @@ ], "Version": "2012-10-17" }, + "PolicyName": "MyUserDefaultPolicy7B897426", + "Users": [ + { + "Ref": "MyUserDC45028B" + } + ] + } + }, + "HelloPolicyD59007DF": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "sqs:SendMessage", + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, "PolicyName": "Default", "Users": [ { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/cdk.out index ae4b03c54e770..1f0068d32659a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"30.0.0"} \ No newline at end of file +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/integ.json index 9a843a137ca36..3c0a370f43539 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "30.0.0", + "version": "36.0.0", "testCases": { "PolicyInteg/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/manifest.json index 6bed1a5059a29..c3dd1773186d1 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "30.0.0", + "version": "36.0.0", "artifacts": { "aws-cdk-iam-policy.assets": { "type": "cdk:asset-manifest", @@ -14,10 +14,11 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "aws-cdk-iam-policy.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d898a04332095cb0948a67a0182d64a7d0604bb19454a2ce9dcd09153e09bb59.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/372105a2bc65630c0068c39309addd787e89ace7da989e014b511bd9d462be0a.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -39,6 +40,12 @@ "data": "MyUserDC45028B" } ], + "/aws-cdk-iam-policy/MyUser/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyUserDefaultPolicy7B897426" + } + ], "/aws-cdk-iam-policy/HelloPolicy/Resource": [ { "type": "aws:cdk:logicalId", @@ -85,6 +92,7 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "PolicyIntegDefaultTestDeployAssert274BB918.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/tree.json index 5de3aa0868731..0fbd0593a5d5d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/tree.json @@ -20,13 +20,57 @@ "aws:cdk:cloudformation:props": {} }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnUser", + "fqn": "aws-cdk-lib.aws_iam.CfnUser", + "version": "0.0.0" + } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "aws-cdk-iam-policy/MyUser/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-iam-policy/MyUser/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "Role1ABCC5F0", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "policyName": "MyUserDefaultPolicy7B897426", + "users": [ + { + "Ref": "MyUserDC45028B" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Policy", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.User", + "fqn": "aws-cdk-lib.aws_iam.User", "version": "0.0.0" } }, @@ -46,16 +90,6 @@ "Action": "sqs:SendMessage", "Effect": "Allow", "Resource": "*" - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "Role1ABCC5F0", - "Arn" - ] - } } ], "Version": "2012-10-17" @@ -69,13 +103,13 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnPolicy", + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Policy", + "fqn": "aws-cdk-lib.aws_iam.Policy", "version": "0.0.0" } }, @@ -118,13 +152,13 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnPolicy", + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Policy", + "fqn": "aws-cdk-lib.aws_iam.Policy", "version": "0.0.0" } }, @@ -136,7 +170,7 @@ "id": "ImportRole", "path": "aws-cdk-iam-policy/Role/ImportRole", "constructInfo": { - "fqn": "@aws-cdk/core.Resource", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -176,13 +210,13 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnRole", + "fqn": "aws-cdk-lib.aws_iam.CfnRole", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Role", + "fqn": "aws-cdk-lib.aws_iam.Role", "version": "0.0.0" } }, @@ -190,7 +224,7 @@ "id": "BootstrapVersion", "path": "aws-cdk-iam-policy/BootstrapVersion", "constructInfo": { - "fqn": "@aws-cdk/core.CfnParameter", + "fqn": "aws-cdk-lib.CfnParameter", "version": "0.0.0" } }, @@ -198,13 +232,13 @@ "id": "CheckBootstrapVersion", "path": "aws-cdk-iam-policy/CheckBootstrapVersion", "constructInfo": { - "fqn": "@aws-cdk/core.CfnRule", + "fqn": "aws-cdk-lib.CfnRule", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/core.Stack", + "fqn": "aws-cdk-lib.Stack", "version": "0.0.0" } }, @@ -221,7 +255,7 @@ "path": "PolicyInteg/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.249" + "version": "10.3.0" } }, "DeployAssert": { @@ -232,7 +266,7 @@ "id": "BootstrapVersion", "path": "PolicyInteg/DefaultTest/DeployAssert/BootstrapVersion", "constructInfo": { - "fqn": "@aws-cdk/core.CfnParameter", + "fqn": "aws-cdk-lib.CfnParameter", "version": "0.0.0" } }, @@ -240,25 +274,25 @@ "id": "CheckBootstrapVersion", "path": "PolicyInteg/DefaultTest/DeployAssert/CheckBootstrapVersion", "constructInfo": { - "fqn": "@aws-cdk/core.CfnRule", + "fqn": "aws-cdk-lib.CfnRule", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/core.Stack", + "fqn": "aws-cdk-lib.Stack", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/integ-tests.IntegTestCase", + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/integ-tests.IntegTest", + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", "version": "0.0.0" } }, @@ -267,12 +301,12 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.249" + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/core.App", + "fqn": "aws-cdk-lib.App", "version": "0.0.0" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.ts index 0f98857c9f03e..68974890aded5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.ts @@ -17,7 +17,8 @@ policy2.addStatements(new PolicyStatement({ resources: ['*'], actions: ['lambda: policy2.attachToUser(user); const role = new Role(stack, 'Role', { assumedBy: new AccountRootPrincipal() }); -role.grantAssumeRole(policy.grantPrincipal); +role.grantAssumeRole(user); + Grant.addToPrincipal({ actions: ['iam:*'], resourceArns: [role.roleArn], grantee: policy2 }); new IntegTest(app, 'PolicyInteg', { diff --git a/packages/aws-cdk-lib/aws-iam/README.md b/packages/aws-cdk-lib/aws-iam/README.md index 60daf55e5e8b2..b020dc7c55063 100644 --- a/packages/aws-cdk-lib/aws-iam/README.md +++ b/packages/aws-cdk-lib/aws-iam/README.md @@ -369,6 +369,39 @@ new iam.Role(this, 'Role', { }); ``` +### Granting a principal permission to assume a role + +A principal can be granted permission to assume a role using `grantAssumeRole`. + +Note that this does not apply to service principals or account principals as they must be added to the role trust policy via `assumeRolePolicy`. + +```ts +const user = new iam.User(this, 'user') +const role = new iam.Role(this, 'role', { + assumedBy: new iam.AccountPrincipal(this.account) +}); + +role.grantAssumeRole(user); +``` + +### Granting service and account principals permission to assume a role + +Service principals and account principals can be granted permission to assume a role using `assumeRolePolicy` which modifies the role trust policy. + +```ts +const role = new iam.Role(this, 'role', { + assumedBy: new iam.AccountPrincipal(this.account), +}); + +role.assumeRolePolicy?.addStatements(new iam.PolicyStatement({ + actions: ['sts:AssumeRole'], + principals: [ + new iam.AccountPrincipal('123456789'), + new iam.ServicePrincipal('beep-boop.amazonaws.com') + ], +})); +``` + ## Parsing JSON Policy Documents diff --git a/packages/aws-cdk-lib/aws-iam/lib/role.ts b/packages/aws-cdk-lib/aws-iam/lib/role.ts index b8937d7b951aa..c72a569e1214f 100644 --- a/packages/aws-cdk-lib/aws-iam/lib/role.ts +++ b/packages/aws-cdk-lib/aws-iam/lib/role.ts @@ -6,7 +6,7 @@ import { IManagedPolicy, ManagedPolicy } from './managed-policy'; import { Policy } from './policy'; import { PolicyDocument } from './policy-document'; import { PolicyStatement } from './policy-statement'; -import { AddToPrincipalPolicyResult, ArnPrincipal, IPrincipal, PrincipalPolicyFragment } from './principals'; +import { AccountPrincipal, AddToPrincipalPolicyResult, ArnPrincipal, IPrincipal, PrincipalPolicyFragment, ServicePrincipal } from './principals'; import { defaultAddPrincipalToAssumeRole } from './private/assume-role-policy'; import { ImmutableRole } from './private/immutable-role'; import { ImportedRole } from './private/imported-role'; @@ -594,6 +594,10 @@ export class Role extends Resource implements IRole { * Grant permissions to the given principal to assume this role. */ public grantAssumeRole(identity: IPrincipal) { + // Service and account principals must use assumeRolePolicy + if (identity instanceof ServicePrincipal || identity instanceof AccountPrincipal) { + throw new Error('Cannot use a service or account principal with grantAssumeRole, use assumeRolePolicy instead.'); + } return this.grant(identity, 'sts:AssumeRole'); } diff --git a/packages/aws-cdk-lib/aws-iam/test/role.test.ts b/packages/aws-cdk-lib/aws-iam/test/role.test.ts index 88ee4f2d6cbbc..1733b256400c1 100644 --- a/packages/aws-cdk-lib/aws-iam/test/role.test.ts +++ b/packages/aws-cdk-lib/aws-iam/test/role.test.ts @@ -2,7 +2,7 @@ import { testDeprecated } from '@aws-cdk/cdk-build-tools'; import { Construct } from 'constructs'; import { Template, Match, Annotations } from '../../assertions'; import { Duration, Stack, App, CfnResource, RemovalPolicy, Lazy, Stage, DefaultStackSynthesizer, CliCredentialsStackSynthesizer, PERMISSIONS_BOUNDARY_CONTEXT_KEY, PermissionsBoundary, Token } from '../../core'; -import { AnyPrincipal, ArnPrincipal, CompositePrincipal, FederatedPrincipal, ManagedPolicy, PolicyStatement, Role, ServicePrincipal, User, Policy, PolicyDocument, Effect } from '../lib'; +import { AccountPrincipal, AnyPrincipal, ArnPrincipal, CompositePrincipal, FederatedPrincipal, ManagedPolicy, PolicyStatement, Role, ServicePrincipal, User, Policy, PolicyDocument, Effect } from '../lib'; describe('isRole() returns', () => { test('true if given Role instance', () => { @@ -388,6 +388,36 @@ describe('IAM role', () => { }); }); + test('a role cannot grant AssumeRole permission to a Service Principal', () => { + // GIVEN + const stack = new Stack(); + + // WHEN + const user = new User(stack, 'User'); + const role = new Role(stack, 'MyRole', { + assumedBy: user, + }); + + // THEN + expect(() => role.grantAssumeRole(new ServicePrincipal('beep-boop.amazonaws.com'))) + .toThrow('Cannot use a service or account principal with grantAssumeRole, use assumeRolePolicy instead.'); + }); + + test('a role cannot grant AssumeRole permission to an Account Principal', () => { + // GIVEN + const stack = new Stack(); + + // WHEN + const user = new User(stack, 'User'); + const role = new Role(stack, 'MyRole', { + assumedBy: user, + }); + + // THEN + expect(() => role.grantAssumeRole(new AccountPrincipal('123456789'))) + .toThrow('Cannot use a service or account principal with grantAssumeRole, use assumeRolePolicy instead.'); + }); + testDeprecated('can supply externalId', () => { // GIVEN const stack = new Stack();