Closed nguforw closed 11 months ago
mluttrell
commented
1 year ago Thanks for opening this issue.
Are you able to share the full CloudFormation resource for the role in question? I'm not able to reproduce the issue using the trust policy that you shared.
nguforw
commented
1 year ago @mluttrell - Here's the relevant snippet from the CFN template
{
"Description": "CI/CD CDK Pipeline for products",
"Resources": {
"PipelineSourceCodeCommitCodePipelineActionRole48F8DEFA": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "ProducerName",
"Value": "producer1"
},
{
"Key": "ProductName",
"Value": "None"
},
{
"Key": "SchemaType",
"Value": "producer1"
}
]
},
"Metadata": {
"aws:cdk:path": "product-pipeline/Pipeline/Pipeline/Source/CodeCommit/CodePipelineActionRole/Resource"
}
},
"PipelineSourceCodeCommitCodePipelineActionRoleDefaultPolicy3CEB31C0": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:Abort*",
"s3:DeleteObject*",
"s3:GetBucket*",
"s3:GetObject*",
"s3:List*",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"PipelineArtifactsBucketAEA9A052",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"PipelineArtifactsBucketAEA9A052",
"Arn"
]
},
"/*"
]
]
}
]
},
{
"Action": [
"codecommit:CancelUploadArchive",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:GetUploadArchiveStatus",
"codecommit:UploadArchive"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"Repo02AC86CF",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "PipelineSourceCodeCommitCodePipelineActionRoleDefaultPolicy3CEB31C0",
"Roles": [
{
"Ref": "PipelineSourceCodeCommitCodePipelineActionRole48F8DEFA"
}
]
},
"Metadata": {
"aws:cdk:path": "product-pipeline/Pipeline/Pipeline/Source/CodeCommit/CodePipelineActionRole/DefaultPolicy/Resource"
}
},
"Repo02AC86CF": {
"Type": "AWS::CodeCommit::Repository",
"Properties": {
"RepositoryDescription": "Repository containing Service Catalog product definitions",
"RepositoryName": "service-catalog-product",
"Tags": [
{
"Key": "ProducerName",
"Value": "producer1"
},
{
"Key": "ProductName",
"Value": "None"
},
{
"Key": "SchemaType",
"Value": "producer1"
}
]
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "product-pipeline/Repo/Resource"
}
}
}
}Thank you! I was able to reproduce the issue this time and spoke with the service team who confirmed this should not produce a finding. They've since fixed this and it should now be working.
Can you remove the suppression you have for this role and validate that you're no longer seeing findings?
mluttrell
commented
11 months ago Closing as resolved
I have an application with a Python CDK pipeline and the cfn-policy-validator is being run after the
cdk synthA number of errors are being reported and these relate to the trust policies of the roles that CDK has created for use within the pipeline. Some examples are listed below
The finding type is INVALID_ARN_RESOURCE (Resource ARN does not match the expected ARN format. Update the resource portion of the ARN.)
The trust policy is as follows (where 111111111111 is the "DevOps" account where the pipeline lives):
IAM is happy when this same trust policy is created via the console so it seems there is something within cfn-policy-validator that isn't quite right. I have had to use a suppression for this finding type but this should not be necessary as the policy is valid.
Version cfn-policy-validator=0.0.24