Closed stefano-m closed 1 year ago
Hi @stefano-m - thanks for reaching out.
I attempted to reproduce it following the steps with the command below but wasn't able to. However, I see that you mentioned the same command worked for IAM role with no path. Have you tried using account ID instead of IAM role for --principal
and see if that works? I'd be happy to confirm it with the service team if you'd like.
aws signer add-profile-permission --action signer:GetSigningProfile --statement-id permission1 --profile-name johnSigner --principal arn:aws:iam::<accountID>:role/testIAMRole --region us-west-1
Hi @aBurmeseDev and thank you for taking this up.
I can confirm that I can successfully add a plain account IDs and roles with no path. I am still getting a validation exception when I use a role with path.
If it's any help, this is happening in the eu-west-2
region. I am unable to run test in other AWS regions unfortunately.
I have created a test profile and roles, and tried the below (note that the actual account id has been redacted and the dummy 123456789012
is used instead).
I hope this helps! 🤞
aws signer add-profile-permission --profile-name Lambda_TEST2_7db05166b0f14493a870fa66ac95f39d --statement-id test1 --action signer:GetSigningProfile --principal 123456789012
# revisionId: fd1f8001-6b7d-4413-ad85-55025eb1de7e
Note that here I'm using the revision id from the previous command.
aws signer add-profile-permission --profile-name Lambda_TEST2_7db05166b0f14493a870fa66ac95f39d --statement-id test2 --action signer:GetSigningProfile --principal arn:aws:iam::123456789012:role/TestGitHubAwsCliIssue7820 --revision-id fd1f8001-6b7d-4413-ad85-55025eb1de7e
# revisionId: 67a59399-f7c9-480a-b76d-aa23bad5423c
Here too, I am using the revision id from the previous command.
aws signer add-profile-permission --profile-name Lambda_TEST2_7db05166b0f14493a870fa66ac95f39d --statement-id test3 --action signer:GetSigningProfile --principal arn:aws:iam::123456789012:role/test/path/TestGitHubAwsCliIssue7820WithPath --revision-id 67a59399-f7c9-480a-b76d-aa23bad5423c
# An error occurred (ValidationException) when calling the AddProfilePermission operation: Principal is not a valid AWS account id or IAM Role Arn
aws signer list-profile-permissions --profile-name Lambda_TEST2_7db05166b0f14493a870fa66ac95f39d
# permissions:
# - action: signer:GetSigningProfile
# principal: '123456789012'
# statementId: test1
# - action: signer:GetSigningProfile
# principal: arn:aws:iam::123456789012:role/TestGitHubAwsCliIssue7820
# statementId: test2
# policySizeBytes: 501
# revisionId: 67a59399-f7c9-480a-b76d-aa23bad5423c
@stefano-m - Appreciate you for sharing this detailed response to help me understand it. I'm going to reach out to service team on your behalf to verify this behavior you're running into. Since it's cross-SDK related, I'm going to transfer this to our share repo and track the issue there.
Thank you again for your patience while we look into it. Best, John
P86307464
Hi @stefano-m - I just heard back from a service team member that using account id as principal is expected and they don't have a plan to support specifying roles with a path, unfortunately. Please let me know if you'd like me to pass anything back to the service team.
Hi @aBurmeseDev
thanks for getting back to me.
It's a shame that the service team is not planning to support roles with paths. With this, such roles become second-class citizens. But well, I appreciate that you all got back to me with the news.
My suggestions are:
An error occurred (ValidationException) when calling AddProfilePermission operation: Principal is not a valid AWS account id or IAM Role Arn (IAM Roles with paths are not supported)
Hope this helps.
Thank you again.
Describe the bug
Running
aws signer add-profile-permission
with an IAM role with path as principal returns aValidationException
, the same command works without problems when using a role with no path.I am using
Expected Behavior
Given an IAM role with path, e.g.
arn:aws:iam:123456789012:role/teams/my-team/Signer
, the below command succeeds and returns a revision id:Current Behavior
Given an IAM role with path, e.g.
arn:aws:iam:123456789012:role/teams/my-team/Signer
, the below command fails with an errorthe error returned is
Reproduction Steps
arn:aws:iam:123456789012:role/teams/my-team/Signer
SomeSignerProfile
Possible Solution
Make
AddProfilePermission
validate roles with path the same way roles with no path are validated. Or at least, if this is not supported, make it return a more meaningful error message and document it.Additional Information/Context
I appreciate that this might not be a problem with the AWS CLI itself and instead a problem with the
AddProfilePermission
API operation, but I found no other place where to report this bug to AWS.Thank you
CLI version used
aws-cli/2.8.12 Python/3.10.9
Environment details (OS name and version, etc.)
Darwin/22.4.0