Closed allquixotic closed 2 years ago
Looks like, per https://github.com/aws-samples/aws-sso-extensions-for-enterprise/blob/main/lib/payload-schema-definitions/PermissionSet-createUpdateS3.json
NotAction
and NotResource
are disallowed (Why?! AWS SSO allows them just fine when uploading manually?)Action
and Resource
have to be arrays. OK -- picky, but easy fix.sessionDurationInMinutes
has to be a string. OK -- picky, but easy fix.Not allowing NotAction
and NotResource
is a showstopper here though.
@allquixotic , agree 100% on this. I was being a bit too careful with the schema validation here. Will fix the schema definitions to align with what SSO admin API allows.
@allquixotic , the solution through #89 now aligns completely with the permission set schema supported by AWS SSO except for sessionDurationinMinutes still requiring to be a string and not a number.
Do let us know if this fixed the issues you are seeing, Leela
One additional problem I'm hitting is that inlinePolicyDocument
is required, but specifying it as just {}
(an empty JSON object) fails schema validation because it doesn't have a statement, etc. It also doesn't appear to like a Statement: []
with zero entries.
So what if I want to create a permission set that only has managed AWS policies, and no custom inline policy document?
@allquixotic , with the updated schema validation for permission sets (s3/api interface) in #89 , this issue would be resovled as well. I just validated creating Security-Auditor PS from the samples using S3 interface and #89 and can confirm that the permission set has been successfully created.
To conclude, the scenario you require should work once v3.1.5 is merged, do let us know if you see any issues with the use case on v3.1.5.
Thank you, Leela
Cool, okay! In that case, I will deploy your branch and test it out to see if this does work. Thank you.
When I upload this permission set to S3 as "permission_sets/Foo.json", I receive an email from SNS.
First, here's the permission set (and yes, the total character length is well below 10240 characters):
The errors:
When I manually submit the inline policy to the AWS SSO console, it works, so this is a limitation of SSO Extensions. Seems really restrictive not to permit
NotAction
,NotResource
!