search

aws / aws-sdk-go-v2

AWS SDK for the Go programming language.
https://aws.github.io/aws-sdk-go-v2/docs/
Apache License 2.0
2.5k stars 602 forks source link

iam.NewListRolesPaginator.NextPage suddenly doesn't return "Tags" #2598

Closed suncle1993 closed 3 months ago

suncle1993 commented 3 months ago

Acknowledgements

Describe the bug

I use iam.NewListRolesPaginator.NextPage to list iam roles for a long time. Today it suddenly doesn't return "Tags"

{
    "Arn": "arn:aws:iam::xxx:role/aaa",
    "AssumeRolePolicyDocument": "xxx",
    "CreateDate": "2000-01-01T01:00:00Z",
    "Description": null,
    "MaxSessionDuration": 14400,
    "Path": "/",
    "PermissionsBoundary": null,
    "RoleId": "xxx",
    "RoleLastUsed": null,
    "RoleName": "abner",
    "Tags": null
}

Yesterday(2024-04-03) It still return tags. Besides, I confirm I have seen there are tags in this role in aws console.

image

Expected Behavior

role.Tags is a list include real key value

Current Behavior

role.Tags is null

Reproduction Steps

Use this code to list iam role, it will occur

import (
    "context"
    "fmt"
    "time"

    "github.com/aws/aws-sdk-go-v2/service/iam"
    "github.com/aws/aws-sdk-go-v2/service/iam/types"
)

func (c *Client) ListRoles(input *iam.ListRolesInput) ([]types.Role, error) {
    if input == nil {
        input = &iam.ListRolesInput{MaxItems: &MaxResults}
    }
    svc := iam.NewListRolesPaginator(c.iam, input)
    output := make([]types.Role, 0)
    for svc.HasMorePages() {
        result, err := svc.NextPage(context.TODO())
        if err != nil {
            return nil, err
        }
        output = append(output, result.Roles...)
        time.Sleep(c.sleepDuration)
    }
    return output, nil
}

Possible Solution

I think it's a bug of server side, not a bug in this sdk. Please help confirm with backend developer if there are some adjustments.

Additional Information/Context

No response

AWS Go SDK V2 Module Versions Used

I found this bug first in github.com/aws/aws-sdk-go-v2/service/iam@v1.30.0 version. And then I upgrade the version to v1.31.4, it remains.

Compiler and Version used

go version go1.21.0 darwin/arm64

Operating System and version

mac and aws ecs

RanVaknin commented 3 months ago

Hi there,

Thanks for reaching out. The SDK did not change the structure for this operation. The behavior you are describing is indeed odd. Looking at the IAM API docs I don't see that Tags were ever a field that the ListRoles API returned:

<ListRolesResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
<ListRolesResult>
  <IsTruncated>false</IsTruncated>
  <Roles>
    <member>
      <Path>/application_abc/component_xyz/</Path>
      <Arn>arn:aws:iam::123456789012:role/application_abc/component_xyz/S3Access</Arn>
      <RoleName>S3Access</RoleName>
      <AssumeRolePolicyDocument>
        {"Version":"2012-10-17","Statement":[{"Effect":"Allow",
        "Principal":{"Service":["ec2.amazonaws.com"]},"Action":["sts:AssumeRole"]}]}
      </AssumeRolePolicyDocument>
      <CreateDate>2012-05-09T15:45:35Z</CreateDate>
      <RoleId>AROACVSVTSZYEXAMPLEYK</RoleId>
    </member>
    <member>
      <Path>/application_abc/component_xyz/</Path>
      <Arn>arn:aws:iam::123456789012:role/application_abc/component_xyz/SDBAccess</Arn>
      <RoleName>SDBAccess</RoleName>
      <AssumeRolePolicyDocument>
        {"Version":"2012-10-17","Statement":[{"Effect":"Allow",
        "Principal":{"Service":["ec2.amazonaws.com"]},"Action":["sts:AssumeRole"]}]}
      </AssumeRolePolicyDocument>
      <CreateDate>2012-05-09T15:45:45Z</CreateDate>
      <RoleId>AROAC2ICXG32EXAMPLEWK</RoleId>
    </member>
  </Roles>
</ListRolesResult>
<ResponseMetadata>
  <RequestId>20f7279f-99ee-11e1-a4c3-27EXAMPLE804</RequestId>
</ResponseMetadata>
</ListRolesResponse>

Also, the IAM service uses a REST XML protocol, where is that JSON response coming from in your ticket?

The fact that the IAM API has a separate operation for returning the tags on a role (ListRoleTags) is also contributing to this confusion.

Do you have any sort of cloudwatch logs or request IDs that show the tags being returned?

Thanks, Ran~

suncle1993 commented 3 months ago

Thank you for your confirmation. It's my mistake. Sorry Before we consume CloudTrail event and for every event we call GetRole to get the iam role data. This is why we can get the tags before.

Besides, we have a job to list all iam roles to do full sync. But unfortunately, it's the first time to carry out this job after we added tag missing alert recently.

This is the root cause. Sorry again.

At last, I want to know if there is any method for us to ListRoles with tags in one request? Thanks.

suncle1993 commented 3 months ago

Thank you for your confirmation. It's my mistake. Sorry Before we consume CloudTrail event and for every event we call GetRole to get the iam role data. This is why we can get the tags before.

Besides, we have a job to list all iam roles to do full sync. But unfortunately, it's the first time to carry out this job after we added tag missing alert recently.

This is the root cause. Sorry again.

At last, I want to know if there is any method for us to ListRoles with tags in one request? Thanks.

If there are no method can do ListRole with tags and we must ListRoleTags one by one after ListRoles, I think we can close this issue. Thank you.

RanVaknin commented 3 months ago

Hi @suncle1993 ,

As far as I know, the only way for you to achieve that is to:

  1. list all roles
  2. iterate over the list of roles and call ListRoleTags on each one of them.

Happy to help, Ran~

github-actions[bot] commented 3 months ago

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.