New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Usage of OrganizationPrincipal in IAM Role creation is causing MalformedPolicyDocument #5732
Labels
@aws-cdk/aws-iam
Related to AWS Identity and Access Management
bug
This issue is a bug.
needs-triage
This issue or PR still needs to be triaged.
p1
Comments
imincik
added
bug
This issue is a bug.
needs-triage
This issue or PR still needs to be triaged.
labels
Jan 9, 2020
Isn't it the same issue as Terraform was fixing some time ago - hashicorp/terraform-provider-aws#4248 ? |
rix0rrr
added a commit
that referenced
this issue
Jan 10, 2020
`Principal: "*"` supposedly works to allow any Principal to assume a Role (restricted by `Conditions`, of course), but doesn't work in practice. The IAM API rejects it as a MalformedPolicyDocument. In order to not generate a large diff on existing policies, disable simplification of `Principal: { AWS: * }` to `Principal: *` only for AssumeRole policy documents. Fixes #5732.
rix0rrr
added a commit
that referenced
this issue
Jan 10, 2020
`Principal: "*"` supposedly works to allow any Principal to assume a Role (restricted by `Conditions`, of course), but doesn't work in practice. The IAM API rejects it as a MalformedPolicyDocument. In order to not generate a large diff on existing policies, disable simplification of `Principal: { AWS: * }` to `Principal: *` only for AssumeRole policy documents. Fixes #5732.
rix0rrr
added a commit
that referenced
this issue
Jan 10, 2020
`Principal: "*"` supposedly works to allow any Principal to assume a Role (restricted by `Conditions`, of course), but doesn't work in practice. The IAM API rejects it as a MalformedPolicyDocument. In order to not generate a large diff on existing policies, disable simplification of `Principal: { AWS: * }` to `Principal: *` only for AssumeRole policy documents. Fixes #5732.
rix0rrr
added a commit
that referenced
this issue
Jan 10, 2020
`Principal: "*"` supposedly works to allow any Principal to assume a Role (restricted by `Conditions`, of course), but doesn't work in practice. The IAM API rejects it as a MalformedPolicyDocument. In order to not generate a large diff on existing policies, disable simplification of `Principal: { AWS: * }` to `Principal: *` only for AssumeRole policy documents. Fixes #5732.
Yes it is. Thanks for reporting. |
mergify bot
pushed a commit
that referenced
this issue
Jan 13, 2020
`Principal: "*"` supposedly works to allow any Principal to assume a Role (restricted by `Conditions`, of course), but doesn't work in practice. The IAM API rejects it as a MalformedPolicyDocument. In order to not generate a large diff on existing policies, disable simplification of `Principal: { AWS: * }` to `Principal: *` only for AssumeRole policy documents. Fixes #5732.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
@aws-cdk/aws-iam
Related to AWS Identity and Access Management
bug
This issue is a bug.
needs-triage
This issue or PR still needs to be triaged.
p1
Stack can't be deployed when OrganizationPrincipal is used in IAM Role creation because of MalformedPolicyDocument.
Reproduction Steps
Code:
CloudFormation template:
Error Log
Error:
Environment
Other
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: