IAM: Cannot create Principal of ARN role in trust relationship #26482

malatep · 2023-07-24T11:30:33Z

Describe the bug

I would like to create a trust relationship with a specific role in a different account and not use the account principal.

The final result I want is this trust relationship (as in this example)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:role/my-lambda-execution-role"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

This is what I am doing

...

        new Role(this,'my-role',{
                assumedBy: new ArnPrincipal(`arn:aws:iam::111111111111:role/my-lambda-execution-role`)

...

This fails with the following error

Invalid principal in policy: "AWS":"arn:aws:iam::111111111111:role/my-lambda-execution-role" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 3ee72085-639
7-4110-808a-be9bf5b1ae73; Proxy: null)

Expected Behavior

I would expect to see the trust relationship policy with the IAM role as Principal.

This should work as the CDK docs say:

You can specify AWS accounts, IAM users, Federated SAML users, IAM roles, and specific assumed-role sessions. You cannot specify IAM groups or instance profiles as principals

Note that if I use the account Principal ARN like this it works:

...

        new Role(this,'my-role',{
                assumedBy: new ArnPrincipal(`arn:aws:iam::111111111111:root`)

...

But I don't want to give permission to the entire account and want to restrict to the individual role.

Current Behavior

Invalid principal in policy: "AWS":"arn:aws:iam::111111111111:role/my-lambda-execution-role" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 3ee72085-639
7-4110-808a-be9bf5b1ae73; Proxy: null)

Reproduction Steps

Deploy this stack to replicate the issue

import { Stack, StackProps } from 'aws-cdk-lib'
import { Construct } from 'constructs';
import { Role, ArnPrincipal } from 'aws-cdk-lib/aws-iam';

export class IamStack extends Stack{
    constructor(scope: Construct, id: string, props?: StackProps) {
        super(scope, id, props);

        new Role(this,'my-role',{
                assumedBy: new ArnPrincipal('arn:aws:iam::111111111111:role/my-lambda-execution-role');,
            }
        ) 
                
    }

}

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.88.0

Framework Version

No response

Node.js Version

v16.20.1

OS

Mac OS Ventura 13.4.1

Language

Typescript

Language Version

No response

Other information

No response

The text was updated successfully, but these errors were encountered:

malatep · 2023-07-24T12:35:37Z

This happens when the IAM role does not exist in the other account. Closing as this is not a CDK issue

github-actions · 2023-07-24T12:35:58Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

malatep added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 24, 2023

github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Jul 24, 2023

malatep closed this as completed Jul 24, 2023

github-actions bot mentioned this issue Aug 1, 2023

Monthly PRs metrics report - July 2023 #26582

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

IAM: Cannot create Principal of ARN role in trust relationship #26482

IAM: Cannot create Principal of ARN role in trust relationship #26482

malatep commented Jul 24, 2023

malatep commented Jul 24, 2023

github-actions bot commented Jul 24, 2023