Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ARN Matching Incorrectly Flags Wildcards In Region As Invalid #220

Open
squatched opened this issue Aug 3, 2022 · 0 comments
Open

ARN Matching Incorrectly Flags Wildcards In Region As Invalid #220

squatched opened this issue Aug 3, 2022 · 0 comments

Comments

@squatched
Copy link

squatched commented Aug 3, 2022
edited

(This comment from a couple years ago seems to jive with my understanding.)

From the documentation:

You can use wildcard characters (* and ?) within any ARN segment . An asterisk (*) represents any combination of zero or more characters, and a question mark (?) represents any single character. You can use multiple * or ? characters in each segment, but a wildcard cannot span segments.

Given this policy statement:

{
    "Effect": "Allow",
    "Action": "rds:CopyDBParameterGroup",
    "Resource": "arn:aws:rds:us-west-?:0123456789012:*pg:*"
}

The linter fails with:

        Severity: MEDIUM
        Issue: INVALID_ARN
        File: <stdin>
        Detail: Region expected to be of form like us-east-1 but got ['us-west-?']

However, it is accepted and works as expected in the policy sim and as a policy in an IAM role.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@squatched