Skip to content

iam: role arn parsed incorrectly  #26175

New issue
New issue
Closed
Closed
iam: role arn parsed incorrectly #26175
Labels
@aws-cdk/aws-iamRelated to AWS Identity and Access ManagementbugThis issue is a bug.effort/smallSmall work item – less than a day of effortp1wontfixWe have determined that we will not resolve the issue.
@phch

Description

@phch
phch
opened on Jun 30, 2023

Describe the bug

I am using the following code to grant index read/write from an imported role to an imported domain.
The role that I am using follows the structure: arn:aws:iam::<account>:role/<project-name>/<role-name>
When I use the following piece of CDK code, it fails saying it cannot find the role called <project-name>.

It seems like it's incorrectly parsing out the role for this policy.

Example of the Typescript CDK code:

const domain = Domain.fromDomainAttributes(node, 'imported-opensearch-domain', this.domainAttributes);
const lambdaFunctionRole = Role.fromRoleArn(node, 'imported-role', node.attrArn);
domain.grantIndexReadWrite('my-index', lambdaFunctionRole);

Example of the synthesized CloudFormation:

  "MySamplePolicy": {
   "Type": "AWS::IAM::Policy",
   "Properties": {
    "PolicyDocument": {
     "Statement": [
      {
       "Action": [
        "es:ESHttpDelete",
        "es:ESHttpGet",
        "es:ESHttpHead",
        "es:ESHttpPatch",
        "es:ESHttpPost",
        "es:ESHttpPut"
       ],
       "Effect": "Allow",
       "Resource": [
        "arn:aws:es:us-east-1:<account>:domain/<domain>/<index>",
        "arn:aws:es:us-east-1:<account>:domain/<domain>/<index>/*"
       ]
      }
     ],
     "Version": "2012-10-17"
    },
    "PolicyName": "MySamplePolicy",
    "Roles": [
     {
      "Fn::Select": [
       1,
       {
        "Fn::Split": [
         "/",
         {
          "Fn::Select": [
           5,
           {
            "Fn::Split": [
             ":",
             {
              "Fn::GetAtt": [
               "CustomResourcesRole",
               "Arn"
              ]
             }
            ]
           }
          ]
         }
        ]
       }
      ]
     }
    ]
   }
  },

Expected Behavior

It should grant access correctly for the role to access this domain and be granting access to the full role ARN.

Current Behavior

However, due to some behind-the-scenes logic it splits the ARN incorrectly.

Original - arn:aws:iam::<account>:role/<project-name>/<role-name>
Split on ':', Select 5th element - role/<project-name>/<role-name>
Split on '/', Select 1st element - <project-name>

Reproduction Steps

const domain = Domain.fromDomainAttributes(node, 'imported-opensearch-domain', this.domainAttributes);
const lambdaFunctionRole = Role.fromRoleArn(node, 'imported-role', node.attrArn);
domain.grantIndexReadWrite('my-index', lambdaFunctionRole);

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.83.1 (build 006b542)

Framework Version

No response

Node.js Version

v18.0.0

OS

MacOS 13.4 Ventura

Language

Typescript

Language Version

No response

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-iamRelated to AWS Identity and Access ManagementbugThis issue is a bug.effort/smallSmall work item – less than a day of effortp1wontfixWe have determined that we will not resolve the issue.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions