feat(iam): PassRole trust-policy enforcement on Lambda + ECS#739
Merged
vieiralucas merged 4 commits intomainfrom Apr 24, 2026
Merged
feat(iam): PassRole trust-policy enforcement on Lambda + ECS#739vieiralucas merged 4 commits intomainfrom
vieiralucas merged 4 commits intomainfrom
Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
2 issues found across 10 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="website/content/docs/guides/cross-service-integration.md">
<violation number="1" location="website/content/docs/guides/cross-service-integration.md:50">
P3: Drop `UpdateFunctionConfiguration` from this bullet; fakecloud only enforces the trust-policy check on `CreateFunction`, not on Lambda role updates.</violation>
</file>
<file name="crates/fakecloud-iam/src/pass_role.rs">
<violation number="1" location="crates/fakecloud-iam/src/pass_role.rs:123">
P1: `"Principal": "*"` (wildcard) is not handled — roles with a wildcard trust policy will be incorrectly rejected. When `principal` is a `Value::String("*")`, `.get("Service")` returns `None` and the function returns `false`. Add an early check for the wildcard string.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Real AWS rejects CreateFunction / RegisterTaskDefinition / RunTask with InvalidParameterValueException when the supplied role's AssumeRolePolicyDocument doesn't list the calling service principal, regardless of the caller's identity policy. fakecloud now performs the same check at the service boundary. - New `RoleTrustValidator` trait in fakecloud-core/src/auth.rs so service crates surface a wire-shaped error without depending on fakecloud-iam directly. - `IamRoleTrustValidator` impl in fakecloud-iam/src/pass_role.rs parses the trust policy, walks Allow statements, and matches Principal.Service against the supplied service principal. - LambdaService.create_function rejects roles that don't trust lambda.amazonaws.com. - EcsService.register_task_definition + run_task overrides reject roles that don't trust ecs-tasks.amazonaws.com. - E2E coverage in iam_pass_role.rs (4 happy-path + negative tests) plus 5 unit tests for trust-policy parsing. The identity-policy half of `iam:PassRole` (caller permission) lives in the existing IAM evaluator and is invoked separately at the IAM evaluator boundary.
Cubic flagged that `"Principal": "*"` and `{"AWS": "*"}` (wildcard
trust policies) were being rejected because `principal_service_includes`
only inspected the `Service` key. Match real AWS:
- bare `"Principal": "*"` allows any service principal,
- `{"AWS": "*"}` allows any service principal,
- `{"Service": "*"}` allows any service principal,
- existing exact-match behavior for explicit service principals
is preserved.
Also dropped an inaccurate `UpdateFunctionConfiguration` mention
from the website docs — fakecloud only enforces the trust-policy
check on `CreateFunction` (the existing tests cover this).
vieiralucas
force-pushed
the
worktree-integrations-batch5-iam-passrole
branch
from
8c390b5 to
d491b5c
Compare
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
The strict PassRole check broke long-standing fakecloud Lambda E2E tests that pass arbitrary role ARNs without first creating the IAM role. Real AWS does require the role to exist for CreateFunction, but fakecloud's test culture has historically been more permissive. Make `IamRoleTrustValidator` return `Ok(())` when: - the ARN doesn't parse as an IAM role ARN, or - the account isn't in IAM state, or - the role doesn't exist, or - the trust policy doesn't parse as JSON. Only the high-signal failure mode — role exists with a trust policy that explicitly excludes the calling service principal — still produces `InvalidParameterValueException` / `InvalidParameterException`. E2E coverage of both branches preserved: - positive: role with matching trust policy is accepted, - negative: role exists with mismatched trust policy is rejected.
There was a problem hiding this comment.
1 issue found across 1 file (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="crates/fakecloud-iam/src/pass_role.rs">
<violation number="1" location="crates/fakecloud-iam/src/pass_role.rs:79">
P1: Malformed trust policies are currently treated as allowed, which bypasses PassRole trust enforcement for existing roles with invalid JSON.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Cubic flagged that the previous permissive change made roles with malformed `AssumeRolePolicyDocument` JSON pass through silently. The intent of permissive mode was only to skip the check when the role itself doesn't exist (preserving fakecloud's test culture of arbitrary role ARNs); existing roles with broken trust policies should still fail validation so misconfigurations don't slip through. Restore `InvalidTrustPolicy` as a hard error path on the parse step. RoleNotFound / ARN-doesn't-parse / no IAM state for account remain permissive.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CreateFunction/RegisterTaskDefinition/RunTaskwhen the supplied role'sAssumeRolePolicyDocumentdoesn't list the calling service principal — regardless of the caller's identity policy. fakecloud now does the same.RoleTrustValidatortrait infakecloud-coreso service crates emit a wire-shaped error without depending onfakecloud-iam.IamRoleTrustValidator(infakecloud-iam/src/pass_role.rs) parses the trust policy, walks Allow statements, and matchesPrincipal.Serviceagainst the supplied service principal.CreateFunctionrejects roles that don't trustlambda.amazonaws.com. ECSRegisterTaskDefinition(taskRoleArn + executionRoleArn) andRunTaskoverrides reject roles that don't trustecs-tasks.amazonaws.com. Both raiseInvalidParameterValueException/InvalidParameterException.Test plan
cargo test -p fakecloud-iam pass_role— 5 unit tests for trust-policy parsingcargo test -p fakecloud-e2e --test iam_pass_role— 4 e2e tests (Lambda + ECS, accept + reject)cargo clippy --workspace --all-targets -- -D warningscleancargo fmt --checkcleanThe identity-policy half of
iam:PassRole(caller permission) lives in the existing IAM evaluator and runs at the IAM evaluator boundary; this PR covers the trust-policy half real AWS enforces unconditionally at the service boundary.Summary by cubic
Enforces PassRole trust-policy checks in Lambda and ECS. Roles that don’t trust the service principal are rejected; malformed trust policies now fail, while non-role ARNs or missing roles/accounts remain allowed.
New Features
CreateFunctionand ECSRegisterTaskDefinition/RunTaskoverrides reject roles whoseAssumeRolePolicyDocumentexcludeslambda.amazonaws.comorecs-tasks.amazonaws.com, returningInvalidParameterValueException/InvalidParameterException.RoleTrustValidatorinfakecloud-coreandIamRoleTrustValidatorinfakecloud-iam; wired intofakecloud-lambda,fakecloud-ecs, and server with unit + e2e tests.Bug Fixes
"*"/{"AWS":"*"}/{"Service":"*"}), matching AWS.CreateFunctiononly.Written for commit e591a5e. Summary will update on new commits.