Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IAM Role / Trust-relationships -trustpolicy required for access-grants-s3 cannot be created with CDK #33690

Open
1 task
ttais2017 opened this issue Mar 5, 2025 · 2 comments
Open
1 task

IAM Role / Trust-relationships -trustpolicy required for access-grants-s3 cannot be created with CDK #33690

ttais2017 opened this issue Mar 5, 2025 · 2 comments
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. cause/not-a-bug Not a bug (might still be a documentation issue, might still need work) p3

Comments

@ttais2017
Copy link

Describe the bug

Trying to create a trust-policy for a given role, like this:

Image

cannot be created with CDK.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

CDK Version: 2.1002.0 (build 09ef5a0)

Expected Behavior

the trust-policy for a given role, will contain the given statements

Image

Current Behavior

the trust-policy will not be included in the role.

Reproduction Steps

try this code:

    let servicePrincipal = new iam.ServicePrincipal('access-grants.s3.amazonaws.com');
    servicePrincipal.addToAssumeRolePolicy(trustPolicy);
    servicePrincipal.addToPolicy(new iam.PolicyStatement({
      sid: 'AccessGrantsTrustPolicy',
      effect: iam.Effect.ALLOW,
      principals: [new iam.ServicePrincipal('access-grants.s3.amazonaws.com')],
      actions: ['sts:AssumeRole', 'sts:SetSourceIdentity'],
      conditions: {
        StringEquals: {
          'aws:SourceAccount': '9xxx2',
          'aws:SourceArn': 'arn:aws:s3:eu-central-1:9xxx2:access-grants/default',
        },
      },
    }));

    this.context.properties.accessGrantsRole = new iam.Role(this, this.id4res('AccessGrantsRole'), {
      assumedBy: servicePrincipal,
      inlinePolicies: {
        'AccessGrantsPolicy': accessGrantsPolicy,
      },
    });

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

CDK Version: 2.1002.0 (build 09ef5a0)

Framework Version

No response

Node.js Version

Node.js v22.12.0

OS

Win11

Language

TypeScript

Language Version

No response

Other information

No response
@ttais2017 ttais2017 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 5, 2025
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Mar 5, 2025
@ttais2017 ttais2017 changed the title IAM Role / Trust-relationships -trustpolicy required for access-frants-s3 cannot be created with CDK IAM Role / Trust-relationships -trustpolicy required for access-grants-s3 cannot be created with CDK Mar 5, 2025
@pahud
Copy link
Contributor

pahud commented Mar 5, 2025

Hi @ttais2017,

Thanks for reporting this issue! I've reviewed the code and identified the cause of the problem.

Issue Analysis

The issue is with how you're attempting to create the trust policy for your IAM role. The code pattern you're using doesn't match how trust policies are established in the CDK.

In your code:

let servicePrincipal = new iam.ServicePrincipal('access-grants.s3.amazonaws.com');
servicePrincipal.addToAssumeRolePolicy(trustPolicy);  // This method doesn't exist on ServicePrincipal
servicePrincipal.addToPolicy(new iam.PolicyStatement({...}));  // Also incorrect

The addToAssumeRolePolicy and addToPolicy methods are being called on the ServicePrincipal, but these methods don't exist on that class - this is why your trust policy isn't being generated correctly.

Solution

Here's the correct way to create a role with the trust policy you need for S3 Access Grants:

// Create a service principal with conditions
const servicePrincipal = new iam.ServicePrincipal('access-grants.s3.amazonaws.com', {
  conditions: {
    StringEquals: {
      'aws:SourceAccount': '9xxx2',
      'aws:SourceArn': 'arn:aws:s3:eu-central-1:9xxx2:access-grants/default',
    },
  }
});

// Create the role with the principal
const accessGrantsRole = new iam.Role(this, this.id4res('AccessGrantsRole'), {
  assumedBy: servicePrincipal,
  inlinePolicies: {
    'AccessGrantsPolicy': accessGrantsPolicy,
  },
});

If you specifically need to include sts:SetSourceIdentity in the trust policy, you can use this approach instead:

// Create a service principal
const servicePrincipal = new iam.ServicePrincipal('access-grants.s3.amazonaws.com');

// Create the role first
const accessGrantsRole = new iam.Role(this, this.id4res('AccessGrantsRole'), {
  assumedBy: servicePrincipal,
  inlinePolicies: {
    'AccessGrantsPolicy': accessGrantsPolicy,
  },
});

// Then customize the assume role policy
const statement = new iam.PolicyStatement({
  actions: ['sts:AssumeRole', 'sts:SetSourceIdentity'],
  principals: [servicePrincipal],
  conditions: {
    StringEquals: {
      'aws:SourceAccount': '9xxx2',
      'aws:SourceArn': 'arn:aws:s3:eu-central-1:9xxx2:access-grants/default',
    },
  },
});

// Add the statement to the assume role policy
accessGrantsRole.assumeRolePolicy?.addStatements(statement);

I hope this helps solve your issue! Let me know if you have any questions.

@pahud pahud added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p3 cause/not-a-bug Not a bug (might still be a documentation issue, might still need work) and removed needs-triage This issue or PR still needs to be triaged. labels Mar 5, 2025
@ttais2017
Copy link
Author

Dear Pahug,
Tnx a lot for your suggestions. Now my code works. I have to say, it was a bit tricky. ; )

sometimes it's hard to get such kind of policies, taking into account the IDE shows those methods also as possible:
let servicePrincipal = new iam.ServicePrincipal('access-grants.s3.amazonaws.com');
servicePrincipal.addToAssumeRolePolicy(trustPolicy); // This method doesn't exist on ServicePrincipal
servicePrincipal.addToPolicy(new iam.PolicyStatement({...})); // Also incorrect

which do not exist.

This ticket can be close!. TNX also for your time.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Mar 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. cause/not-a-bug Not a bug (might still be a documentation issue, might still need work) p3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @ttais2017