Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(aws-iam): grantAssumeRole does nothing #24507

Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug.

Comments

@dkaksl
Copy link

dkaksl commented Mar 8, 2023

Describe the bug

Role.grantAssumeRole() does not make any difference in the generated policy.

Expected Behavior

grantAssumeRole should grant the given princial permission to assume the role.

Current Behavior

No-op.

Reproduction Steps

const role = new Role(this, 'role', {
  assumedBy: new AccountPrincipal(this.account)
})
role.grantAssumeRole(new AccountPrincipal('123456789')) // no-op

Possible Solution

No response

Additional Information/Context

Workaround:

const role = new Role(this, 'role', {
  assumedBy: new AccountPrincipal(this.account)
})

//role.grantAssumeRole(new AccountPrincipal('123456789'))

role.assumeRolePolicy?.addStatements(
  new PolicyStatement({
    effect: Effect.ALLOW,
    actions: ['sts:AssumeRole'],
    principals: [new AccountPrincipal('123456789')]
  })
)

CDK CLI Version

2.67.0

Framework Version

No response

Node.js Version

v18.14.2

OS

Ubuntu

Language

Typescript

Language Version

No response

Other information

No response

@dkaksl dkaksl added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 8, 2023
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Mar 8, 2023
@pahud pahud added the investigating This issue is being investigated and/or work is in progress to resolve the issue. label Mar 8, 2023
@pahud pahud self-assigned this Mar 8, 2023
@pahud pahud removed the needs-triage This issue or PR still needs to be triaged. label Mar 8, 2023
@pahud
Copy link
Contributor

pahud commented Mar 8, 2023

Hi

You will need to use assumeRolePolicy instead:

  const role = new iam.Role(this, 'role', {
    assumedBy: new iam.AccountPrincipal(this.account),
  })

  role.assumeRolePolicy?.addStatements(new iam.PolicyStatement({
    actions: ['sts:AssumeRole'],
    principals: [new iam.AccountPrincipal('123456789')],
  }))

related to #22550 (comment)

@pahud pahud closed this as completed Mar 8, 2023
@pahud pahud removed their assignment Mar 8, 2023
@pahud pahud removed the investigating This issue is being investigated and/or work is in progress to resolve the issue. label Mar 8, 2023
@github-actions
Copy link

github-actions bot commented Mar 8, 2023

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@begna112
Copy link

begna112 commented Jun 1, 2023

What is the purpose of role.grantAssumeRole if it does not actually add the AssumeRole statements for you?

When trying to use this workaround, it can end up trying to create cyclical references. In particular when trying to add RolePrincipals or RoleArns, such as for a specific lambda.

@IllarionovDimitri
Copy link

IllarionovDimitri commented Jul 13, 2023

have the same problem. spent hours to figure out why grant_assume_role(identity) does nothing. how should one actually find out this workaround to add statement to the role policy... no idea...

imho this workaround (if it is one) should be at least mentioned in the docs.

although it works, there is a "add_statements" is not a known member of "None" message

@lukepafford
Copy link

lukepafford commented Jul 27, 2023

Would like to comment that I just encountered this issue too and it's a bit bewildering. I'm totally fine using role.assumeRolePolicy?.addStatements to modify the roles trust policy.

Just make it clear that you shouldn't use grantAssumeRole in the docs.

To make the problem obvious, here is a minimum example to reproduce the bug:

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import {
  AccountPrincipal,
  AccountRootPrincipal,
  Effect,
  PolicyStatement,
  Role,
} from "aws-cdk-lib/aws-iam";

export class IamTestStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const accountsToAllowAssumedBy = ["000000000000"]; // Replace with real account

    const role = new Role(this, "Role", {
      assumedBy: new AccountRootPrincipal(),
      roleName: "AssumeRoleTest",
    });

    // THIS DOES NOT WORK
    // accountsToAllowAssumedBy.forEach((account) => {
    //   role.grantAssumeRole(new AccountPrincipal(account));
    // });

    // THIS DOES WORK
    role.assumeRolePolicy?.addStatements(
      new PolicyStatement({
        actions: ["sts:AssumeRole"],
        effect: Effect.ALLOW,
        principals: accountsToAllowAssumedBy.map(
          (account) => new AccountPrincipal(account)
        ),
      })
    );
  }
}

@aperuru
Copy link

aperuru commented Oct 19, 2023

I ran into a similar problem, but I was able to solve this with fewer lines of code using spread operator.
The only difference is that I intended to add multiple account principals to the trusted relationship along with the service principal so that the permissions are not wide open.

    const accountsToAllowAssumedBy = ['000000000000', '111111111111'];

    const role = new iam.Role(this, 'Role', {
      roleName: 'AssumeRoleTest',
      assumedBy: new iam.CompositePrincipal(
        new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
        ...accountsToAllowAssumedBy.map((account) => new iam.AccountPrincipal(account)), //Spread Operator (...)
      ),
    });

Output:

"Role1ABCC5F0": {
   "Type": "AWS::IAM::Role",
   "Properties": {
    "RoleName": "AssumeRoleTest",
    "AssumeRolePolicyDocument": {
     "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
        "AWS": [
         "arn:aws:iam::000000000000:root",
         "arn:aws:iam::111111111111:root"
        ],
        "Service": "ecs-tasks.amazonaws.com"
       }
      }
     ],
    },
   },
  },

mergify bot pushed a commit that referenced this issue Apr 2, 2024
…ncipals (#29452)

### Issue #24507

### Reason for this change

grantAssumeRole silently fails if a Service Principal or Account Principal is used which led me to a false assumption about the correctness of a role's permission scope

### Description of changes

This change will throw an error if a Service Principal is used.  I was unable to find a way to accomplish the same behavior for Account Principals.

Documentation was updated to help guide a user to the appropriate function usage for Service and Account Principals.

### Description of how you validated changes

* Added a unit test
* This change required me to re-run two unrelated snapshot tests which were throwing errors outside of the scope of this change.

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment