Skip to content
This repository has been archived by the owner on Dec 7, 2023. It is now read-only.

Change principal to avoid errors if example is modified by user #1013

Closed
wants to merge 1 commit into from
Closed

Change principal to avoid errors if example is modified by user #1013

wants to merge 1 commit into from

Conversation

shadycuz
Copy link

Issue #, if available:

Description of changes:
Added AWS key to principal policy. If a user copy+paste this policy and then change the principal to a specific role the template will show up as valid but will fail to deploy because of a "Invalid policy syntax" error that is very hard to track down. Thats because when using the "Principal" key directly only a wildcard is valid.

See Anonymous user principals (public access) section in AWS JSON policy elements: Principal documentation.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@sasake615
Copy link
Contributor

Thank you for your patience and for telling us about this issue. A member of the team will be working on it and will provide updates here about progress.

@shadycuz shadycuz mentioned this pull request Jun 27, 2022
Closed
@swiercek
Copy link
Contributor

This is service writer owned content. Leaving open.

@lincolahanbeck
Copy link

The IAM documentation states,

For anonymous users, the following elements are equivalent:
"Principal": "*"
"Principal": { "AWS" : "*" }

In the S3 docs, similar policy examples use "Principal": "*". So we prefer to stick with the original option for consistency.

@shadycuz
Copy link
Author

shadycuz commented Apr 6, 2023

@lincolahanbeck

Maybe something changed, I haven't retested it but this was a huge issue when I reported it.

If you take the current example:

SampleBucketPolicy:
  Type: 'AWS::S3::BucketPolicy'
  Properties:
    Bucket: !Ref DOC-EXAMPLE-BUCKET
    PolicyDocument:
      Statement:
        - Action:
            - 's3:GetObject'
          Effect: Allow
          Resource: !Join
            - ''
            - - 'arn:aws:s3:::'
              - !Ref DOC-EXAMPLE-BUCKET
              - /*
          Principal: '*'
          Condition:
            StringLike:
              'aws:Referer':
                - 'http://www.example.com/*'
                - 'http://example.net/*'

and you change the principal to an ARN...

SampleBucketPolicy:
  Type: 'AWS::S3::BucketPolicy'
  Properties:
    Bucket: !Ref DOC-EXAMPLE-BUCKET
    PolicyDocument:
      Statement:
        - Action:
            - 's3:GetObject'
          Effect: Allow
          Resource: !Join
            - ''
            - - 'arn:aws:s3:::'
              - !Ref DOC-EXAMPLE-BUCKET
              - /*
          Principal: 'arn:aws:iam::account:role/my-ec2-instance-profile'
          Condition:
            StringLike:
              'aws:Referer':
                - 'http://www.example.com/*'
                - 'http://example.net/*'

This code would pass Cloudformation "verify" but would fail to actually deploy a stack. This is an extremely hard to debug error.

I understand that other service documentation uses the "shorter" form and says they are equivalent, but when I opened this issue they were not equivalent with Cloudformation.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@lincolahanbeck lincolahanbeck

@sasake615 sasake615

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@shadycuz @sasake615 @swiercek @lincolahanbeck