CLI V2: aws signer add-profile-permission fails when principal is an IAM role with path

[stefano-m]

Describe the bug

Running aws signer add-profile-permission with an IAM role with path as principal returns a ValidationException, the same command works without problems when using a role with no path.

I am using

$ aws --version
aws-cli/2.8.12 Python/3.10.9 Darwin/22.4.0 source/x86_64 prompt/off

Expected Behavior

Given an IAM role with path, e.g. arn:aws:iam:123456789012:role/teams/my-team/Signer, the below command succeeds and returns a revision id:

aws signer add-profile-permission \
    --action signer:GetSigningProfile \
    --statement-id permission1 \
    --profile-name SomeSignerProfile \
    --principal arn:aws:iam:123456789012:role/teams/my-team/Signer

Current Behavior

Given an IAM role with path, e.g. arn:aws:iam:123456789012:role/teams/my-team/Signer, the below command fails with an error

aws signer add-profile-permission \
    --action signer:GetSigningProfile \
    --statement-id permission1 \
    --profile-name SomeSignerProfile \
    --principal arn:aws:iam:123456789012:role/teams/my-team/Signer

the error returned is

An error occurred (ValidationException) when calling AddProfilePermission operation:
Principal is not a valid AWS account id or IAM Role Arn

Reproduction Steps

• create an IAM role with path, e.g. arn:aws:iam:123456789012:role/teams/my-team/Signer
• create an AWS Signer profile, e.g. SomeSignerProfile
• run

  aws signer add-profile-permission \
    --action signer:GetSigningProfile \
    --statement-id permission1 \
    --profile-name SomeSignerProfile \
    --principal arn:aws:iam:123456789012:role/teams/my-team/Signer

Possible Solution

Make AddProfilePermission validate roles with path the same way roles with no path are validated. Or at least, if this is not supported, make it return a more meaningful error message and document it.

Additional Information/Context

I appreciate that this might not be a problem with the AWS CLI itself and instead a problem with the AddProfilePermission API operation, but I found no other place where to report this bug to AWS.

Thank you

CLI version used

aws-cli/2.8.12 Python/3.10.9

Environment details (OS name and version, etc.)

Darwin/22.4.0

[aBurmeseDev]

Hi @stefano-m - thanks for reaching out.

I attempted to reproduce it following the steps with the command below but wasn't able to. However, I see that you mentioned the same command worked for IAM role with no path. Have you tried using account ID instead of IAM role for --principal and see if that works? I'd be happy to confirm it with the service team if you'd like.

aws signer add-profile-permission --action signer:GetSigningProfile --statement-id permission1 --profile-name johnSigner --principal arn:aws:iam::<accountID>:role/testIAMRole --region us-west-1

[stefano-m]

Hi @aBurmeseDev and thank you for taking this up.

I can confirm that I can successfully add a plain account IDs and roles with no path. I am still getting a validation exception when I use a role with path.

If it's any help, this is happening in the eu-west-2 region. I am unable to run test in other AWS regions unfortunately.

I have created a test profile and roles, and tried the below (note that the actual account id has been redacted and the dummy 123456789012 is used instead).

I hope this helps! 🤞

Adding account id as principal works

aws signer add-profile-permission --profile-name Lambda_TEST2_7db05166b0f14493a870fa66ac95f39d --statement-id test1 --action signer:GetSigningProfile --principal 123456789012
# revisionId: fd1f8001-6b7d-4413-ad85-55025eb1de7e

Adding a role with no path works

Note that here I'm using the revision id from the previous command.

aws signer add-profile-permission --profile-name Lambda_TEST2_7db05166b0f14493a870fa66ac95f39d --statement-id test2 --action signer:GetSigningProfile --principal arn:aws:iam::123456789012:role/TestGitHubAwsCliIssue7820 --revision-id fd1f8001-6b7d-4413-ad85-55025eb1de7e
# revisionId: 67a59399-f7c9-480a-b76d-aa23bad5423c

Adding a role with path does not work

Here too, I am using the revision id from the previous command.

aws signer add-profile-permission --profile-name Lambda_TEST2_7db05166b0f14493a870fa66ac95f39d --statement-id test3 --action signer:GetSigningProfile --principal arn:aws:iam::123456789012:role/test/path/TestGitHubAwsCliIssue7820WithPath --revision-id 67a59399-f7c9-480a-b76d-aa23bad5423c

# An error occurred (ValidationException) when calling the AddProfilePermission operation: Principal is not a valid AWS account id or IAM Role Arn

Listing the permissions shows that only account id and role with no path have been added

aws signer list-profile-permissions --profile-name Lambda_TEST2_7db05166b0f14493a870fa66ac95f39d
# permissions:
# - action: signer:GetSigningProfile
#   principal: '123456789012'
#   statementId: test1
# - action: signer:GetSigningProfile
#   principal: arn:aws:iam::123456789012:role/TestGitHubAwsCliIssue7820
#   statementId: test2
# policySizeBytes: 501
# revisionId: 67a59399-f7c9-480a-b76d-aa23bad5423c

[aBurmeseDev]

@stefano-m - Appreciate you for sharing this detailed response to help me understand it. I'm going to reach out to service team on your behalf to verify this behavior you're running into. Since it's cross-SDK related, I'm going to transfer this to our share repo and track the issue there.

Thank you again for your patience while we look into it. Best, John

[aBurmeseDev]

P86307464

[aBurmeseDev]

Hi @stefano-m - I just heard back from a service team member that using account id as principal is expected and they don't have a plan to support specifying roles with a path, unfortunately. Please let me know if you'd like me to pass anything back to the service team.

[stefano-m]

Hi @aBurmeseDev

thanks for getting back to me.

It's a shame that the service team is not planning to support roles with paths. With this, such roles become second-class citizens. But well, I appreciate that you all got back to me with the news.

My suggestions are:

1. return a meaningful validation error when a role with path is passed to the signer. For example An error occurred (ValidationException) when calling AddProfilePermission operation: Principal is not a valid AWS account id or IAM Role Arn (IAM Roles with paths are not supported)
2. clearly stat the limitation that roles with paths are not supported in the aws signer documentation (both API and CLI)

Hope this helps.

Thank you again.