Trust policies

[cmclaughlin]

Is it possible to generate this?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "rds.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Just getting started and everything I've generated has a Resource key/value. If it's not possible, could we consider this a feature request?

[udondan]

Hi and thanks for the issue. You're correct, currently it always adds all resources. I somehow missed that.

I had prepared a change this morning to fix this, but then got distracted with my day job and now I'm afk... Will test and push tomorrow.

Thanks again, Daniel

[cmclaughlin]

Sounds good! Thanks for the awesome library.

[udondan]

Alright it started raining so I came back earlier than expected...

Release 0.70.1 is out, which no longer automatically adds the Resource key if the statement has a principal.

I assume you're using the iam-floyd package without CDK, right? Where I got stuck this morning was to test the CDK variant and it turns out you actually cannot add a PolicyStatement to a role because it expects an IPrincipal.

In the version without CDK you can create the trust policy now like this:

new statement.Sts()
  .allow()
  .toAssumeRole()
  .forService('rds.amazonaws.com')

Which will produce this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "sts:AssumeRole"
      ],
      "Principal": {
        "Service": [
          "rds.amazonaws.com"
        ]
      }
    }
  ]
}

In CDK-land you can do the same if you simply wanted the statement as JSON. But if you wanted to add it to a role you would do it like this instead:

new iam.Role(this, 'Role', {
  roleName: 'test-role',
  description: 'Test Role',
  assumedBy: new iam.ServicePrincipal('rds.amazonaws.com),
  managedPolicies: [...],
});

Let me know if my assumption was wrong and you need it somehow in CDK.

Cheers, Daniel

[cmclaughlin]

Thanks!

I'm using the Python library with CDK for Terraform. So basically just raw Python.

I can confirm it works:

>>> import iam_floyd as statement
>>> statement.Sts().allow().to_assume_role().for_service('rds.amazonaws.com').to_json()
{'Action': ['sts:AssumeRole'], 'Principal': {'Service': ['rds.amazonaws.com']}}

[udondan]

Thanks for confirming. I myself only use it in TypeScript with AWS CDK. Always good to hear it's working in other combinations!

[cmclaughlin]

@udondan just getting around to using it... perhaps I'm still just not familiar with the library, but I think we need a "Effect": "Allow" key/value pair.

The particular policy I'm trying to model is documented here:

https://docs.aws.amazon.com/neptune/latest/userguide/bulk-load-tutorial-IAM.html

[cmclaughlin]

Ok, that's probably more of a usage question... my S3 policy is missing the Effect KV also. Please let me know if you have any hints!

[udondan]

Hi Charles, the Effect in a policy statement is optional and defaults to Allow, that's why it's not explicitly set.

The methods to set the Effect are allow() and deny().

[cmclaughlin]

Maybe it's optional for normal policy statements, but not trust relationships?

[udondan]

Ah, interesting. Never knew that. Thanks!

I really need to add a lot more tests, not only creating statements but actually creating policies to catch these things.

[udondan]

Version 0.76.1 will be released in a minute which includes a fix for this. Thanks again for bringing this to my attention!