Closed wbertore closed 5 months ago
Hi @wbertore , Thanks for reaching out. It is highly suggested to use the latest CDK version. Neverthelss, Looks like with the latest cdk version 2.139 and with cdk 2.77, I am able to successfully synth and deploy the code with external user policy created .
export class GrantPublishStack extends cdk.Stack {
public readonly mytopic : ITopic;
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
this.mytopic = new Topic(this, 'MyTopic', {
displayName: 'MyTopic',
});
this.mytopic.grantPublish(User.fromUserArn(this, 'OtherExternaluser', 'arn:aws:iam::55**********:user/admin'));
}
}
This is the synth template which has the policy for the external user mentioned in the code -
{
"Resources": {
"MyTopic86869434": {
"Type": "AWS::SNS::Topic",
"Properties": {
"DisplayName": "MyTopic"
},
"Metadata": {
"aws:cdk:path": "GrantPublishStack/MyTopic/Resource"
}
},
"OtherExternaluserPolicyCD96E322": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "sns:Publish",
"Effect": "Allow",
"Resource": {
"Ref": "MyTopic86869434"
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "OtherExternaluserPolicyCD96E322",
"Users": [
"admin"
]
},
"Metadata": {
"aws:cdk:path": "GrantPublishStack/OtherExternaluser/Policy/Resource"
}
},
"CDKMetadata": {
"Type": "AWS::CDK::Metadata",
"Properties": {
"Analytics": "v2:deflate64:H4sIAAAAAAAA/03IPQ7CMAxA4bN0TwwpC8y9ACrdUXCC5P7YqE5BKMrdoXRhep9eDe5wgn3lX2oxDHakG+RL8jiY77pmZYXcyYPQNHf+oRjyE+SzjITv9W4qxbRRZZkxrvPfjXCgRMLFsIQIve6e7giuBlf1SmTnhRNNEdqtH+S0s/2VAAAA"
},
"Metadata": {
"aws:cdk:path": "GrantPublishStack/CDKMetadata/Default"
},
"Condition": "CDKMetadataAvailable"
}
},
Snippet for the successful deployment with CDK 2.77 -
However I see some policy missing in the console, despite being successful. Diving deep to get to the root cause of what could be going wrong.
This is because iam.User.fromUserArn()
does not return the principalAccount
correctly.
PoC
export class DummyStack extends Stack {
constructor(scope: Construct, id: string, props: StackProps) {
super(scope, id, props);
const externalIamUser = 'arn:aws:iam::123456789012:user/OthersExternalIamUser';
const externalIamRole = 'arn:aws:iam::123456789012:role/OthersExternalIamUser';
const granteeUser = iam.User.fromUserArn(this, 'OthersExternalIamUser', externalIamUser)
const granteeRole = iam.Role.fromRoleArn(this, 'OthersExternalIamRole', externalIamRole)
new CfnOutput(this, 'principalAccountUser', { value: granteeUser.grantPrincipal.principalAccount! })
new CfnOutput(this, 'principalAccountRole', { value: granteeRole.grantPrincipal.principalAccount! })
}
}
Outputs:
dummy-stack2.principalAccountRole = 123456789012
dummy-stack2.principalAccountUser =
see the different implementation between fromUserArn() and fromRoleArn().
We are getting the pricipal account with the Aws.ACCOUNT_ID which presumes always the same account and that is the root cause of this bug.
Making this a p1 bug.
By the way, it's generally not recommended using IAM user like that but IAM role is always recommended. While this is a bug we need to fix, is there any reason you have to use iam.User rather than iam.Role?
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.
Describe the bug
When creating an external iam user such as with
User.fromArn(...)
and adding it to a topic resource policy withgrantPublish
, the underlying constructs will create an identity policy assuming the iam user exists already in the stack.This fails on cloudformation deployment.
Expected Behavior
It should create a resource policy on the SNS Topic and skip the identity policy if the grantee is from an external aws account.
Current Behavior
Topic.grantPublish, Grant.addToPrincipleOrResource, and User.addtoPrinciplePolicy will create a policy for the iam user, assuming it is part of the stack's aws account.
This fails on cloudformation deployment.
Reproduction Steps
Make a test app and stack:
synthesize the stack:
see cloudformation output:
Notice that CDK generates a Policy that references a user that doesn't exist in the cloudformation stack.
Possible Solution
Add intelligence to the grantPublish procedure or underlying calls in Grant or User to compare the stack aws account against the user aws account to skip the identity policy creation.
Additional Information/Context
I am using an internal version of cdk for my company and cannot upgrade to the latest due to company library dependencies. It's possible this is fixed in the latest version (but unlikely after reading the source code and revision history in aws-cdk).
CDK CLI Version
2.77.0
Framework Version
No response
Node.js Version
18
OS
MacOS Sonoma 14.4.1
Language
TypeScript
Language Version
5.0.4
Other information
No response