Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-iam: Calling grant methods with immutable role fails silently #25952

Closed
willdady opened this issue Jun 13, 2023 · 3 comments
Closed

aws-iam: Calling grant methods with immutable role fails silently #25952

willdady opened this issue Jun 13, 2023 · 3 comments
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. duplicate This issue is a duplicate. effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@willdady
Copy link

Describe the bug

Calling grantEncryptDecrypt on a KMS key when passing an immutable role fails silently. No errors or warning are shown during synthesis.

    const myRole = iam.Role.fromRoleArn(
      this,
      "MyRole",
      "arn:aws:iam::999999999999:role/my-role",
      { mutable: false }
    );

    const myKey = new kms.Key(this, "MyKey");

    myKey.grantEncryptDecrypt(myRole); // This should be a build-time error as role is marked as immutable

Expected Behavior

Calling a grant* methods with an immutable role should raise an error, or at a minimum a warning, during synthesis. It's unexpected behaviour that calling grantEncryptDecrypt has no effect if the role has { mutable: false } set.

Current Behavior

Calling grantEncryptDecrypt as shown in the snippet above has no effect. No IAM policy is created and no errors or warnings are emitted.

Reproduction Steps

See above snippet.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.79.1

Framework Version

No response

Node.js Version

18

OS

MacOS

Language

Typescript

Language Version

No response

Other information

No response
@willdady willdady added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 13, 2023
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Jun 13, 2023
@pahud
Copy link
Contributor

pahud commented Jun 13, 2023

I think this is by design as described here but I agree we should print warning messages at least. I am making it a p2 feature request and we welcome pull requests.

@pahud pahud added p2 feature-request A feature should be added or improved. effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jun 13, 2023
@peterwoodworth peterwoodworth added the duplicate This issue is a duplicate. label Jun 13, 2023
@peterwoodworth
Copy link
Contributor

Thanks for reporting, closing as a duplicate of this #12188

@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

This was referenced Jul 26, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. duplicate This issue is a duplicate. effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@willdady @pahud @peterwoodworth