Usage of OrganizationPrincipal in IAM Role creation is causing MalformedPolicyDocument #5732

imincik · 2020-01-09T13:36:09Z

Stack can't be deployed when OrganizationPrincipal is used in IAM Role creation because of MalformedPolicyDocument.

Reproduction Steps

Code:

r = aws_iam.Role(self, 'myrole',
    assumed_by=aws_iam.OrganizationPrincipal(organization_id='o-123')
)

CloudFormation template:

  myrole81024481:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Condition:
              StringEquals:
                aws:PrincipalOrgID: o-123
            Effect: Allow
            Principal: "*"
        Version: "2012-10-17"

Error Log

Error:

$ cdk deploy

...

  1/14 | 1:41:32 PM | CREATE_FAILED        | AWS::IAM::Role     | raster-nonprod/linz-raster-read-role (linzrasterreadrole81024481) AssumeRolepolicy contained an invalid principal: "STAR":"*". (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 95c21901-e6c5-4279-b6da-41d4a68c998f)
        new Role (/tmp/jsii-kernel-27K1yW/node_modules/@aws-cdk/aws-iam/lib/role.js:35:22)
        \_ /home/imincik/Projects/dev/linz/linz-data-lake/code/aws/data-stores/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7762:49
        \_ Kernel._wrapSandboxCode (/home/imincik/Projects/dev/linz/linz-data-lake/code/aws/data-stores/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8222:20)
        \_ Kernel._create (/home/imincik/Projects/dev/linz/linz-data-lake/code/aws/data-stores/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7762:26)
        \_ Kernel.create (/home/imincik/Projects/dev/linz/linz-data-lake/code/aws/data-stores/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7509:21)
        \_ KernelHost.processRequest (/home/imincik/Projects/dev/linz/linz-data-lake/code/aws/data-stores/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7296:28)
        \_ KernelHost.run (/home/imincik/Projects/dev/linz/linz-data-lake/code/aws/data-stores/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7236:14)
        \_ Immediate._onImmediate (/home/imincik/Projects/dev/linz/linz-data-lake/code/aws/data-stores/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7239:37)
        \_ processImmediate (internal/timers.js:439:21)

Environment

CLI Version : 1.20.0 (build 021c521)
Framework Version:
OS : Ubuntu 18.04
Language : Python

Other

This is 🐛 Bug Report

The text was updated successfully, but these errors were encountered:

imincik · 2020-01-10T10:28:52Z

Isn't it the same issue as Terraform was fixing some time ago - hashicorp/terraform-provider-aws#4248 ?

`Principal: "*"` supposedly works to allow any Principal to assume a Role (restricted by `Conditions`, of course), but doesn't work in practice. The IAM API rejects it as a MalformedPolicyDocument. In order to not generate a large diff on existing policies, disable simplification of `Principal: { AWS: * }` to `Principal: *` only for AssumeRole policy documents. Fixes #5732.

rix0rrr · 2020-01-10T13:39:01Z

Yes it is. Thanks for reporting.

`Principal: "*"` supposedly works to allow any Principal to assume a Role (restricted by `Conditions`, of course), but doesn't work in practice. The IAM API rejects it as a MalformedPolicyDocument. In order to not generate a large diff on existing policies, disable simplification of `Principal: { AWS: * }` to `Principal: *` only for AssumeRole policy documents. Fixes #5732.

imincik added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 9, 2020

SomayaB added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Jan 9, 2020

SomayaB assigned rix0rrr Jan 9, 2020

rix0rrr mentioned this issue Jan 10, 2020

fix(iam): can't use OrganizationPrincipal for assuming Role #5746

Merged

rix0rrr added the p1 label Jan 10, 2020

mergify bot closed this as completed in #5746 Jan 13, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Usage of OrganizationPrincipal in IAM Role creation is causing MalformedPolicyDocument #5732

Usage of OrganizationPrincipal in IAM Role creation is causing MalformedPolicyDocument #5732

imincik commented Jan 9, 2020 •

edited

imincik commented Jan 10, 2020 •

edited

rix0rrr commented Jan 10, 2020

Navigation Menu

Usage of OrganizationPrincipal in IAM Role creation is causing MalformedPolicyDocument #5732

Usage of OrganizationPrincipal in IAM Role creation is causing MalformedPolicyDocument #5732

Comments

imincik commented Jan 9, 2020 • edited

Reproduction Steps

Error Log

Environment

Other

imincik commented Jan 10, 2020 • edited

rix0rrr commented Jan 10, 2020

imincik commented Jan 9, 2020 •

edited

imincik commented Jan 10, 2020 •

edited