search

aws / aws-tools-for-powershell

The AWS Tools for PowerShell lets developers and administrators manage their AWS services from the PowerShell scripting environment.
Apache License 2.0
238 stars 79 forks source link

`PolicyArn` parameter should accept strings #50

Closed jakauppila closed 3 years ago

jakauppila commented 5 years ago

Expected Behavior

When I am assuming a role via Use-STSRole I want to pass a managed policy ARN to restrict its access. I want to be able to pass a string or array of strings of those ARNs.

Use-STSRole -RoleArn "arn:aws:iam::${targetAccount}:role/$roleName" -RoleSessionName $roleSessionName -DurationInSeconds 900 -PolicyArn 'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess'

Current Behavior

PolicyArn is required to be of type PolicyDescriptorType[] per the documentation, which means I must do the following:

$policy = New-Object -TypeName Amazon.SecurityToken.Model.PolicyDescriptorType
$policy.Arn = 'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess'

$awsCreds = Use-STSRole -RoleArn "arn:aws:iam::${targetAccount}:role/$roleName" -RoleSessionName $roleSessionName -DurationInSeconds 900 -PolicyArn $policy

Possible Solution

Ideally, the cmdlet itself could do that conversion from string to Amazon.SecurityToken.Model.PolicyDescriptorType so I don't have to be responsible for that conversion which doesn't appear to do anything of value for me anyways (like validation, etc)

Your Environment

3.3.563.1 AWSPowerShell

matteo-prosperi commented 5 years ago

Hello, thanks for reporting this.

You could simplify your code snippet down to

Use-STSRole -PolicyArn @{ Arn = 'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess' } #other params

Would that be a reasonable solution?

The reason we are not simplifying this to be a string is that this specific input modeling is provided by the STS team. We could accept 

Use-STSRole -PolicyArn 'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess'

based on the fact that Amazon.SecurityToken.Model.PolicyDescriptorType has a single property (Arn) but that will break if, in the future, the STS team decides to add other properties to PolicyDescriptorType (this actually happens frequently).

ashishdhingra commented 3 years ago

Hi @jakauppila,

Please let me know if the workaround provided by @matteo-prosperi works for you and if we could close this issue.

Thanks, Ashish

github-actions[bot] commented 3 years ago

This issue has not recieved a response in 2 weeks. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.