Skip to content

Commit

Permalink
fix: stackset AdminRole should assume the ExecRole (#3704)
Browse files Browse the repository at this point in the history
We had a typo in the stackset IAM roles for the past 3 years 😱. 
However, there was no impact for the customer because all
stack set instances are created within the same AWS account.

Since the `ExecutionRole` allows `sts:AssumeRole` to the
`AdministrationRole` and both roles live in the same IAM account (see
https://serverfault.com/questions/944254/aws-iam-assumerole-within-same-account/1021603#1021603)
the `AdministrationRole` could always assume the `ExecutionRole`.

Although this bug has no impact, we should fix it because it's confusing
to read that the `AdministrationRole` can assume itself when it should
be `ExecutionRole` instead.


By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.
  • Loading branch information
efekarakus authored Jun 29, 2022
1 parent ba68716 commit eb8ad5a
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion internal/pkg/template/templates/app/app.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ Resources:
Action:
- sts:AssumeRole
Resource:
- !Sub 'arn:${AWS::Partition}:iam::*:role/${AdminRoleName}'
- !Sub 'arn:${AWS::Partition}:iam::*:role/${ExecutionRoleName}'
ExecutionRole:
Type: AWS::IAM::Role
Properties:
Expand Down

0 comments on commit eb8ad5a

Please sign in to comment.