Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

stepfunctions-tasks: mediapackagevod service generates wrong action in role policy #28774

Closed
orekav opened this issue Jan 19, 2024 · 2 comments · Fixed by #28775
Closed

stepfunctions-tasks: mediapackagevod service generates wrong action in role policy #28774

orekav opened this issue Jan 19, 2024 · 2 comments · Fixed by #28775
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management @aws-cdk/aws-stepfunctions-tasks bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@orekav
Copy link
Contributor

orekav commented Jan 19, 2024
edited
Loading

Describe the bug

Following code is properly creates a step in Step Functions

new sfn_tasks.CallAwsService(stack, 'DeleteMediaPackageVoDAsset', {
  service: 'mediapackagevod',
  action: 'deleteAsset',
  resultPath: sfn.JsonPath.DISCARD,
  iamResources: ['*'],
});

However, it creates wrong statement in the role policy.

        {
            "Action": "mediapackagevod:deleteAsset",
            "Resource": "*",
            "Effect": "Allow"
        }

Correct service prefix for MediaPackageVoD is mediapackage-vod.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackagevod.html

This issue is similar with #27573 and #28081.

Expected Behavior

Action should be mediapackage-vod:deleteAsset

Current Behavior

Action is mediapackagevod:deleteAsset

Reproduction Steps

Sample code for reproduction is below:

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import {
  aws_stepfunctions as sfn,
  aws_stepfunctions_tasks as sfn_tasks,
} from 'aws-cdk-lib';

export class SfnMediaPackageVoDStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const deleteAsset = new sfn_tasks.CallAwsService(stack, 'DeleteMediaPackageVoDAsset', {
      service: 'mediapackagevod',
      action: 'deleteAsset',
      resultPath: sfn.JsonPath.DISCARD,
      iamResources: ['*'],
    });
  
    new sfn.StateMachine(this, 'SimpleStateMachine', {
      definitionBody: sfn.DefinitionBody.fromChainable(deleteAsset)
    });
  }
}

Possible Solution

aws-cdk/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/aws-sdk/call-aws-service.ts

Additional Information/Context

No response

CDK CLI Version

2.122.0

Framework Version

No response

Node.js Version

v18.19.0

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response
@orekav orekav added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 19, 2024
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Jan 19, 2024
@orekav orekav mentioned this issue Jan 19, 2024
Merged
@orekav orekav changed the title (module name): (short issue description) stepfunctions-tasks: mediapackagevod service generates wrong action in role policy Jan 19, 2024
@pahud
Copy link
Contributor

pahud commented Jan 19, 2024

Thank you for the report and pull request.

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jan 19, 2024
@mergify mergify bot closed this as completed in #28775 Jan 31, 2024
mergify bot pushed a commit that referenced this issue Jan 31, 2024
fix(stepfunctions-tasks): mediapackagevod service generates wrong act…
305dae0 
…ion in role policy (#28775)

When we use CallAwsService for Step Functions task, CDK generates IAM policy to grant permission regarding the API call. However, if we specify `mediapackagevod` as service in CallAwsService, CDK generates wrong policy statement such as `mediapackagevod:deleteAsset`. Correct service prefix for MediaPackageVOD is `mediapackage-vod`.

https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackagevod.html

> Amazon MediaPackageVOD (service prefix: mediapackage-vod) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

This PR solves the issue by adding mediapackagevod into iamServiceMap. This is similar with #27623 and #28082.

Closes #28774.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot mentioned this issue Feb 1, 2024
Closed
SankyRed pushed a commit that referenced this issue Feb 8, 2024
@SankyRed
fix(stepfunctions-tasks): mediapackagevod service generates wrong act…
648ca4e 
…ion in role policy (#28775)

When we use CallAwsService for Step Functions task, CDK generates IAM policy to grant permission regarding the API call. However, if we specify `mediapackagevod` as service in CallAwsService, CDK generates wrong policy statement such as `mediapackagevod:deleteAsset`. Correct service prefix for MediaPackageVOD is `mediapackage-vod`.

https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackagevod.html

> Amazon MediaPackageVOD (service prefix: mediapackage-vod) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

This PR solves the issue by adding mediapackagevod into iamServiceMap. This is similar with #27623 and #28082.

Closes #28774.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@samson-keung samson-keung mentioned this issue Jan 10, 2025
Merged
1 task
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management @aws-cdk/aws-stepfunctions-tasks bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
2 participants
@pahud @orekav