(aws-iam): (importedRoleStackSafeDefaultPolicyName Feature flag generates Policy names that are over 128 characters) #24441

zeyad001 · 2023-03-03T13:13:45Z

Describe the bug

I am using the CrossZoneDelegation construct to delegate between 2 hosted Zones that are in different accounts. When I use the importedRoleStackSafeDefaultPolicyName feature flag the policy names that are generated that contain the path are targer than 128 characters which causes the stack to fail to deploy.

Expected Behavior

The policy names need to be trimmed to fit within 128 characters when using this feature flag.

Current Behavior

Adding the full construct path to the policy can lead to the polices becoming too to large.

Reproduction Steps

Create a new stack with a long name
Create a Hosted Zone in that account
Create another stack with a long name
Create a DNS delegation roles
Create a Hosted Zone in another account
Use CrossAccount Delegation between the hosted zones
Enable the importedRoleStackSafeDefaultPolicyName feature flag
Attempt to deploy
Stack fails because of policy name being too long and containing the entire construct path.

Possible Solution

Trim the policy name
Find another uuid to generate default policy names instead of appending the construct path

Additional Information/Context

No response

CDK CLI Version

2.66.0

Framework Version

No response

Node.js Version

16

OS

Amazon Linux 2

Language

Typescript

Language Version

4.9.5

Other information

No response

pahud · 2023-03-03T17:01:39Z

Thank you for your report. I guess we probably need to trim the policy name with cdk.Names.UniqueResourceName() with maxLength property specified. Making this a p2 bug and any PR submission would be appreciated!

peterwoodworth · 2023-10-16T21:04:23Z

Closing as duplicate of #27409

github-actions · 2023-10-16T21:04:47Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

… in excessively long IAM policy names (#27548) When the importedRoleStackSafeDefaultPolicyName feature flag is enabled, the method to calculate the IAM Policy Name within `aws_iam.ImportedRole.addToPrincipalPolicy()` changes. Specifically, if the generated IAM Policy Name exceeds the maximum allowed length of 128 characters, it will be truncated using `Names.uniqueResourceName()`. Previously, the `Names.UniqueId()` method was used to generate the Policy Name. This method does not allow you to set a maximum length, so if the name exceeded the limit, it would be overwritten using `Names.uniqueResourceName()`—a function that allows for length specification. I considered replacing `Names.UniqueId()` entirely with `Names.uniqueResourceName()`. However, this is on hold due to concerns that existing Policy Names could be affected. If a complete replacement poses no issues, your guidance is appreciated, as I'm not fully versed in the logic behind these methods. Closes #27409 , #24441 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… in excessively long IAM policy names (aws#27548) When the importedRoleStackSafeDefaultPolicyName feature flag is enabled, the method to calculate the IAM Policy Name within `aws_iam.ImportedRole.addToPrincipalPolicy()` changes. Specifically, if the generated IAM Policy Name exceeds the maximum allowed length of 128 characters, it will be truncated using `Names.uniqueResourceName()`. Previously, the `Names.UniqueId()` method was used to generate the Policy Name. This method does not allow you to set a maximum length, so if the name exceeded the limit, it would be overwritten using `Names.uniqueResourceName()`—a function that allows for length specification. I considered replacing `Names.UniqueId()` entirely with `Names.uniqueResourceName()`. However, this is on hold due to concerns that existing Policy Names could be affected. If a complete replacement poses no issues, your guidance is appreciated, as I'm not fully versed in the logic behind these methods. Closes aws#27409 , aws#24441 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

zeyad001 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 3, 2023

github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Mar 3, 2023

pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Mar 3, 2023

isacaraujo mentioned this issue Oct 13, 2023

importedRoleStackSafeDefaultPolicyName feature flag results in excessively long IAM policy names #27409

Closed

yamoyamoto mentioned this issue Oct 15, 2023

fix(iam): importedRoleStackSafeDefaultPolicyName feature flag results in excessively long IAM policy names #27548

Merged

peterwoodworth closed this as not planned Won't fix, can't repro, duplicate, stale Oct 16, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(aws-iam): (importedRoleStackSafeDefaultPolicyName Feature flag generates Policy names that are over 128 characters) #24441

(aws-iam): (importedRoleStackSafeDefaultPolicyName Feature flag generates Policy names that are over 128 characters) #24441

zeyad001 commented Mar 3, 2023

pahud commented Mar 3, 2023

peterwoodworth commented Oct 16, 2023

github-actions bot commented Oct 16, 2023