Getting KeyError when trying to generate policy from actions template.

[aunraza]

When I try to write-policy (policy_sentry write-policy --input-file actions.yml -m)using the attached file (renamed extension to .txt instead of .yml) actions.txt, I get the following error:

Traceback (most recent call last):
  File "/opt/homebrew/bin/policy_sentry", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/opt/homebrew/Cellar/policy_sentry/0.12.10/libexec/lib/python3.11/site-packages/policy_sentry/bin/cli.py", line 26, in main
    policy_sentry()
  File "/opt/homebrew/Cellar/policy_sentry/0.12.10/libexec/lib/python3.11/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/policy_sentry/0.12.10/libexec/lib/python3.11/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/policy_sentry/0.12.10/libexec/lib/python3.11/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/policy_sentry/0.12.10/libexec/lib/python3.11/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/policy_sentry/0.12.10/libexec/lib/python3.11/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/policy_sentry/0.12.10/libexec/lib/python3.11/site-packages/policy_sentry/command/write_policy.py", line 132, in write_policy
    policy = write_policy_with_template(cfg, min_length)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/policy_sentry/0.12.10/libexec/lib/python3.11/site-packages/policy_sentry/command/write_policy.py", line 158, in write_policy_with_template
    policy = sid_group.process_template(cfg, minimize)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/policy_sentry/0.12.10/libexec/lib/python3.11/site-packages/policy_sentry/writing/sid_group.py", line 608, in process_template
    self.add_by_list_of_actions(cfg_actions)
  File "/opt/homebrew/Cellar/policy_sentry/0.12.10/libexec/lib/python3.11/site-packages/policy_sentry/writing/sid_group.py", line 450, in add_by_list_of_actions
    self.add_by_arn_and_access_level(
  File "/opt/homebrew/Cellar/policy_sentry/0.12.10/libexec/lib/python3.11/site-packages/policy_sentry/writing/sid_group.py", line 323, in add_by_arn_and_access_level
    service_action_data = get_action_data(service_prefix, "*")
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/policy_sentry/0.12.10/libexec/lib/python3.11/site-packages/policy_sentry/querying/actions.py", line 98, in get_action_data
    return get_action_data_v2(service=service, action_name=action_name)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/policy_sentry/0.12.10/libexec/lib/python3.11/site-packages/policy_sentry/querying/actions.py", line 125, in get_action_data_v2
    for this_action_name, this_action_data in service_prefix_data[
                                              ^^^^^^^^^^^^^^^^^^^^
KeyError: 'privileges'

I am unable to determine which actions are causing this problem. It works in certain cases so it likely seems to be failing on some action - I wasn't able to pinpoint it as the debugs don't show which action.

[gruebel]

hey @aunraza thanks for reaching out.

There are actually a couple of issues not handled correctly.

Those actions don't exist in the internal DB, which is updated at the beginning of each month:

• backup:ListBackupJobSummaries
• backup:ListCopyJobSummaries
• backup:ListRestoreJobSummaries
• ce:GetApproximateUsageRecords
• logs:DescribeDeliveries
• logs:DescribeDeliveryDestinations
• logs:DescribeDeliverySources
• rds:DescribeDbSnapshotTenantDatabases
• rds:DescribeIntegrations
• rds:DescribeTenantDatabases

Even after removing them, there 2 special cases, which are not handled correctly and result in the mentioned error. For some reason the ARNs of Portfolio and Product under Service Catalog use catalog as service name and not servicecatalog. Additionally the ARN of recoveryPoint under Backup has the placeholder ${Vendor}.