Closed msaphire closed 1 month ago
Reproducible using below code:
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks';
export class Issue30862Stack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const callAwsServiceTask = new tasks.CallAwsService(this, 'TagEfsAccessPoint', {
stateName: 'Tag access point',
service: 'efs',
action: 'tagResource',
iamResources: ['*'],
parameters: {
ResourceId: sfn.JsonPath.stringAt('$.pathToArn'),
Tags: [
{
Key: "MYTAGNAME",
Value: sfn.JsonPath.stringAt('$.pathToId')
}
]
},
resultPath: sfn.JsonPath.DISCARD
});
const stateMachine = new sfn.StateMachine(this, 'MyStateMachine', {
definition: callAwsServiceTask.next(new sfn.Succeed(this, "GreetedWorld"))
});
}
}
Running cdk synth
generates the following CloudFormation template:
Resources:
MyStateMachineRoleD59FFEBC:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: states.amazonaws.com
Version: "2012-10-17"
Metadata:
aws:cdk:path: Issue30862Stack/MyStateMachine/Role/Resource
MyStateMachineRoleDefaultPolicyE468EB18:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: efs:tagResource
Effect: Allow
Resource: "*"
Version: "2012-10-17"
PolicyName: MyStateMachineRoleDefaultPolicyE468EB18
Roles:
- Ref: MyStateMachineRoleD59FFEBC
Metadata:
aws:cdk:path: Issue30862Stack/MyStateMachine/Role/DefaultPolicy/Resource
MyStateMachine6C968CA5:
Type: AWS::StepFunctions::StateMachine
Properties:
DefinitionString:
Fn::Join:
- ""
- - '{"StartAt":"Tag access point","States":{"Tag access point":{"Next":"GreetedWorld","Type":"Task","ResultPath":null,"Resource":"arn:'
- Ref: AWS::Partition
- :states:::aws-sdk:efs:tagResource","Parameters":{"ResourceId.$":"$.pathToArn","Tags":[{"Key":"MYTAGNAME","Value.$":"$.pathToId"}]}},"GreetedWorld":{"Type":"Succeed"}}}
RoleArn:
Fn::GetAtt:
- MyStateMachineRoleD59FFEBC
- Arn
DependsOn:
- MyStateMachineRoleDefaultPolicyE468EB18
- MyStateMachineRoleD59FFEBC
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
Metadata:
aws:cdk:path: Issue30862Stack/MyStateMachine/Resource
...
Per TagResource, the operation requires permissions for the elasticfilesystem:TagResource
action.
Possible root cause:
${iamService}:${props.action}
to add IAM policy action.
iamService
is resolved here based on condition iamServiceMap[props.service] ?? props.service
.iamServiceMap
perhaps maintains list of services having mapping to service names, for scenarios where props.service
doesn't map to service name (like in current scenario). In current implementation, the logic would fall back to using props.service
, which is efs
.Possible fix:
Possible fix is to add mapping efs: 'elasticfilesystem'
to iamServiceMap
here.
WorkAround:
Explicitly specify CallAwsServiceProps.iamAction as elasticfilesystem:TagResource
. Verifies using code below:
const callAwsServiceTask = new tasks.CallAwsService(this, 'TagEfsAccessPoint', {
stateName: 'Tag access point',
service: 'efs',
action: 'tagResource',
iamResources: ['*'],
iamAction: 'elasticfilesystem:TagResource',
parameters: {
ResourceId: sfn.JsonPath.stringAt('$.pathToArn'),
Tags: [
{
Key: "MYTAGNAME",
Value: sfn.JsonPath.stringAt('$.pathToId')
}
]
},
resultPath: sfn.JsonPath.DISCARD
});
and it works:
...
MyStateMachineRoleDefaultPolicyE468EB18:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: elasticfilesystem:TagResource
Effect: Allow
Resource: "*"
Version: "2012-10-17"
PolicyName: MyStateMachineRoleDefaultPolicyE468EB18
Roles:
- Ref: MyStateMachineRoleD59FFEBC
Metadata:
aws:cdk:path: Issue30862Stack/MyStateMachine/Role/DefaultPolicy/Resource
...
Hi @ashishdhingra, I would like to work on this issue!
Hi @ashishdhingra, I would like to work on this issue!
@ishon19 Thanks for your reply. I will most likely submit PR for this issue soon. :)
@ishon19 Thanks for your reply. I will most likely submit PR for this issue soon. :)
Yeah, sure! =)
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.
Describe the bug
I am working on writing a CDK based step function with a task to call 'tagresources' on an EFS access point:
Produces an incorrect a IAM policy snippet.
Expected Behavior
It should be (ref):
Current Behavior
Produces:
Which is incorrect, it should be (ref):
Reproduction Steps
Create the following task as part of a CDK defined state machine:
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.147.2
Framework Version
No response
Node.js Version
20
OS
macOS
Language
TypeScript
Language Version
TypeScript (5.4.2)
Other information
No response