Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

iam.Role: condition parameter missing. #31067

Closed
1 of 2 tasks
angelosantos4 opened this issue Aug 8, 2024 · 2 comments
Closed
1 of 2 tasks

iam.Role: condition parameter missing. #31067

angelosantos4 opened this issue Aug 8, 2024 · 2 comments
Assignees
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. feature-request A feature should be added or improved. p3 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@angelosantos4
Copy link

angelosantos4 commented Aug 8, 2024

Describe the feature

I noticed that the trust policy for iam-roles may have a field for Conditions: [...conditions] that can be applied directly to the Trust Policy. I understand that there is an interface to this through the external_id field that adds a condition for a 'StringEquals', {
'sts:ExternalId':
}

However there is no other point within the module to interface with the conditions. The statements on the assumeRolePolicy are private, so we cannot do:

role = iam.Role(...params)
role.assumeRolePolicy.statements[0].addCondition(customCondition)

I would like a feature that exposes a field called:
customConditions or additionalConditions that takes in Record<string, Record<string, string, string[]>> or list of conditions that are typed somehow, that can be added to the assumeRolePolicy.

Alternatively, an interface for addCondition can be exposed to the role itself to interface with the assumeRolePolicy statements to add a condition to each?

I am not too certain on whether omitting this capability is intentional, but I think there is value to providing the capabilities that the AWS UI has.

Use Case

I would like my role's trust policy to include:

Statements: [
{
    "Condition": {
                "StringLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::<aws-account-id>:role/prefix-*"
                    ]
                }
       }
}  
]

Proposed Solution

As mentioned in the feature request a parameter to the constructor that takes conditional-like snippets, or the direct parameters to the statement.addConditon(conditionParams), would suffice. Decision would have to be made on whether these conditions are applied to all statements within the assumeRolePolicy.

Alternatively, we can have a public method addConditionToPolicy(conditionParams) that applies the condition to the statements within the policy.

Other Information

I understand that there are alternate ways of having a StringLike condition to different role names, so I am not looking for an alternative solution to the particular condition:

Statements: [
{
    "Condition": {
                "StringLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::<aws-account-id>:role/prefix-*"
                    ]
                }
       }
}  
]

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

latest

Environment details (OS name and version, etc.)

linux

@angelosantos4 angelosantos4 added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Aug 8, 2024
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Aug 8, 2024
@ashishdhingra ashishdhingra self-assigned this Aug 9, 2024
@ashishdhingra ashishdhingra added p2 investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Aug 9, 2024
@ashishdhingra
Copy link
Contributor

@angelosantos4 Good afternoon. Thanks for opening the issue. Could you please demonstrate your use case with a code example? Based on information provided in the issue, I'm assuming your need PrincipalWithConditions. Please check if it works for you.

Thanks,
Ashish

@ashishdhingra ashishdhingra added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p3 and removed p2 investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Aug 12, 2024
Copy link

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Aug 15, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. feature-request A feature should be added or improved. p3 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Development

No branches or pull requests

2 participants