iam.NewListRolesPaginator.NextPage suddenly doesn't return "Tags"

[suncle1993]

Acknowledgements

• I have searched (https://github.com/aws/aws-sdk/issues?q=is%3Aissue) for past instances of this issue
• I have verified all of my SDK modules are up-to-date (you can perform a bulk update with go get -u github.com/aws/aws-sdk-go-v2/...)

Describe the bug

I use iam.NewListRolesPaginator.NextPage to list iam roles for a long time. Today it suddenly doesn't return "Tags"

{
    "Arn": "arn:aws:iam::xxx:role/aaa",
    "AssumeRolePolicyDocument": "xxx",
    "CreateDate": "2000-01-01T01:00:00Z",
    "Description": null,
    "MaxSessionDuration": 14400,
    "Path": "/",
    "PermissionsBoundary": null,
    "RoleId": "xxx",
    "RoleLastUsed": null,
    "RoleName": "abner",
    "Tags": null
}

Yesterday(2024-04-03) It still return tags.
Besides, I confirm I have seen there are tags in this role in aws console.

Expected Behavior

role.Tags is a list include real key value

Current Behavior

role.Tags is null

Reproduction Steps

Use this code to list iam role, it will occur

import (
	"context"
	"fmt"
	"time"

	"github.com/aws/aws-sdk-go-v2/service/iam"
	"github.com/aws/aws-sdk-go-v2/service/iam/types"
)

func (c *Client) ListRoles(input *iam.ListRolesInput) ([]types.Role, error) {
	if input == nil {
		input = &iam.ListRolesInput{MaxItems: &MaxResults}
	}
	svc := iam.NewListRolesPaginator(c.iam, input)
	output := make([]types.Role, 0)
	for svc.HasMorePages() {
		result, err := svc.NextPage(context.TODO())
		if err != nil {
			return nil, err
		}
		output = append(output, result.Roles...)
		time.Sleep(c.sleepDuration)
	}
	return output, nil
}

Possible Solution

I think it's a bug of server side, not a bug in this sdk. Please help confirm with backend developer if there are some adjustments.

Additional Information/Context

No response

AWS Go SDK V2 Module Versions Used

I found this bug first in github.com/aws/aws-sdk-go-v2/service/iam@v1.30.0 version. And then I upgrade the version to v1.31.4, it remains.

Compiler and Version used

go version go1.21.0 darwin/arm64

Operating System and version

mac and aws ecs

[RanVaknin]

Hi there,

Thanks for reaching out. The SDK did not change the structure for this operation. The behavior you are describing is indeed odd. Looking at the IAM API docs I don't see that Tags were ever a field that the ListRoles API returned:

<ListRolesResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
<ListRolesResult>
  <IsTruncated>false</IsTruncated>
  <Roles>
    <member>
      <Path>/application_abc/component_xyz/</Path>
      <Arn>arn:aws:iam::123456789012:role/application_abc/component_xyz/S3Access</Arn>
      <RoleName>S3Access</RoleName>
      <AssumeRolePolicyDocument>
        {"Version":"2012-10-17","Statement":[{"Effect":"Allow",
        "Principal":{"Service":["ec2.amazonaws.com"]},"Action":["sts:AssumeRole"]}]}
      </AssumeRolePolicyDocument>
      <CreateDate>2012-05-09T15:45:35Z</CreateDate>
      <RoleId>AROACVSVTSZYEXAMPLEYK</RoleId>
    </member>
    <member>
      <Path>/application_abc/component_xyz/</Path>
      <Arn>arn:aws:iam::123456789012:role/application_abc/component_xyz/SDBAccess</Arn>
      <RoleName>SDBAccess</RoleName>
      <AssumeRolePolicyDocument>
        {"Version":"2012-10-17","Statement":[{"Effect":"Allow",
        "Principal":{"Service":["ec2.amazonaws.com"]},"Action":["sts:AssumeRole"]}]}
      </AssumeRolePolicyDocument>
      <CreateDate>2012-05-09T15:45:45Z</CreateDate>
      <RoleId>AROAC2ICXG32EXAMPLEWK</RoleId>
    </member>
  </Roles>
</ListRolesResult>
<ResponseMetadata>
  <RequestId>20f7279f-99ee-11e1-a4c3-27EXAMPLE804</RequestId>
</ResponseMetadata>
</ListRolesResponse>

Also, the IAM service uses a REST XML protocol, where is that JSON response coming from in your ticket?

The fact that the IAM API has a separate operation for returning the tags on a role (ListRoleTags) is also contributing to this confusion.

Do you have any sort of cloudwatch logs or request IDs that show the tags being returned?

Thanks,
Ran~

[suncle1993]

Thank you for your confirmation. It's my mistake. Sorry
Before we consume CloudTrail event and for every event we call GetRole to get the iam role data. This is why we can get the tags before.

Besides, we have a job to list all iam roles to do full sync. But unfortunately, it's the first time to carry out this job after we added tag missing alert recently.

This is the root cause. Sorry again.

At last, I want to know if there is any method for us to ListRoles with tags in one request?
Thanks.

[suncle1993]

Thank you for your confirmation. It's my mistake. Sorry Before we consume CloudTrail event and for every event we call GetRole to get the iam role data. This is why we can get the tags before.

Besides, we have a job to list all iam roles to do full sync. But unfortunately, it's the first time to carry out this job after we added tag missing alert recently.

This is the root cause. Sorry again.

At last, I want to know if there is any method for us to ListRoles with tags in one request? Thanks.

If there are no method can do ListRole with tags and we must ListRoleTags one by one after ListRoles, I think we can close this issue. Thank you.

[RanVaknin]

Hi @suncle1993 ,

As far as I know, the only way for you to achieve that is to:

1. list all roles
2. iterate over the list of roles and call ListRoleTags on each one of them.

Happy to help,
Ran~

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.