Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

importedRoleStackSafeDefaultPolicyName feature flag results in excessively long IAM policy names #27409

Closed
DharmSonariya opened this issue Oct 5, 2023 · 5 comments · Fixed by #27548
Closed

importedRoleStackSafeDefaultPolicyName feature flag results in excessively long IAM policy names #27409

DharmSonariya opened this issue Oct 5, 2023 · 5 comments · Fixed by #27548
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p1

Comments

@DharmSonariya
Copy link

Describe the bug

When using the @aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName feature flag with the CDK pipeline, the CDK generates exceedingly long IAM policy names that exceed AWS's character limits.

Expected Behavior

The CDK should generate names that respect AWS's character limits regardless of feature flag settings.

Current Behavior

When this feature flag is enabled, I get an error indicating that the policy name has exceeded the maximum allowed length (128 characters). The error message is as follows:

CREATE_FAILED Properties validation failed for resource Route53CrossAccountZoneDelegationRecordcrossaccountzonedelegationhandlerrolePolicyCadPlatformtoolboxDevToolchainCdkPipelineDevCadPlatformDevRoute53CrossAccountZoneDelegationRecordcrossaccountzonedelegationhandlerrole195BFE8B8FD65C38 with message: #/PolicyName: expected maxLength: 128, actual: 148

Reproduction Steps

Enable the @aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName feature flag with the CDK pipeline,
Define a stack that imports an IAM role and attach policies to it.
Deploy the stack.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.99.1 (build b2a895e)

Framework Version

No response

Node.js Version

v18.18.0

OS

Ubuntu 23.04

Language

Python

Language Version

Python 3.11.5

Other information

No response
@DharmSonariya DharmSonariya added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 5, 2023
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Oct 5, 2023
@peterwoodworth
Copy link
Contributor

Can you please share a minimal code sample? I'm not exactly sure how you're using the role

@peterwoodworth peterwoodworth added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels Oct 5, 2023
@DharmSonariya
Copy link
Author

Certainly, please find the code below:

    route53.CrossAccountZoneDelegationRecord(
        self,
        "CrossAccountZoneDelegationRecord",
        delegated_zone=self._public_hosted_zone,
        parent_hosted_zone_name=constants.MY_PUBLIC_DOMAIN,
        delegation_role=self.delegation_role,
    )

@peterwoodworth
Copy link
Contributor

Thanks, I see what's going on here.

The feature flag makes use of Names.uniqueId(). The max length when using this method is 256

aws-cdk/packages/aws-cdk-lib/core/lib/private/uniqueid.ts

Line 30 in 495dafa

* @returns a unique alpha-numeric identifier with a maximum length of 255

I wonder if it would have been better to use Names.uniqueResoureName() instead, it allows for setting the max length option directly.

aws-cdk/packages/aws-cdk-lib/core/lib/names.ts

Line 83 in 495dafa

public static uniqueResourceName(construct: IConstruct, options: UniqueResourceNameOptions) {

It may be a better call to truncate the result returned from Names.uniqueId() here since we're already using this method

aws-cdk/packages/aws-cdk-lib/aws-iam/lib/private/imported-role.ts

Line 49 in 495dafa

? `Policy${Names.uniqueId(this)}`

@peterwoodworth peterwoodworth added good first issue Related to contributions. See CONTRIBUTING.md p1 effort/small Small work item – less than a day of effort and removed response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. needs-reproduction This issue needs reproduction. labels Oct 5, 2023
@isacaraujo
Copy link

There's an older issue: #24441

@yamoyamoto yamoyamoto mentioned this issue Oct 15, 2023
Merged
@peterwoodworth peterwoodworth mentioned this issue Oct 16, 2023
Closed
@github-actions github-actions bot mentioned this issue Nov 1, 2023
Closed
@mergify mergify bot closed this as completed in #27548 Dec 21, 2023
mergify bot pushed a commit that referenced this issue Dec 21, 2023
@yamoyamoto
fix(iam): importedRoleStackSafeDefaultPolicyName feature flag results…
4f88db6 
… in excessively long IAM policy names (#27548)

When the importedRoleStackSafeDefaultPolicyName feature flag is enabled, the method to calculate the IAM Policy Name within `aws_iam.ImportedRole.addToPrincipalPolicy()` changes. Specifically, if the generated IAM Policy Name exceeds the maximum allowed length of 128 characters, it will be truncated using `Names.uniqueResourceName()`.

Previously, the `Names.UniqueId()` method was used to generate the Policy Name. This method does not allow you to set a maximum length, so if the name exceeded the limit, it would be overwritten using `Names.uniqueResourceName()`—a function that allows for length specification.

I considered replacing `Names.UniqueId()` entirely with `Names.uniqueResourceName()`. However, this is on hold due to concerns that existing Policy Names could be affected. If a complete replacement poses no issues, your guidance is appreciated, as I'm not fully versed in the logic behind these methods.

Closes #27409 , #24441 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

paulhcsun pushed a commit to paulhcsun/aws-cdk that referenced this issue Jan 5, 2024
@yamoyamoto @paulhcsun
fix(iam): importedRoleStackSafeDefaultPolicyName feature flag results…
22e0659 
… in excessively long IAM policy names (aws#27548)

When the importedRoleStackSafeDefaultPolicyName feature flag is enabled, the method to calculate the IAM Policy Name within `aws_iam.ImportedRole.addToPrincipalPolicy()` changes. Specifically, if the generated IAM Policy Name exceeds the maximum allowed length of 128 characters, it will be truncated using `Names.uniqueResourceName()`.

Previously, the `Names.UniqueId()` method was used to generate the Policy Name. This method does not allow you to set a maximum length, so if the name exceeded the limit, it would be overwritten using `Names.uniqueResourceName()`—a function that allows for length specification.

I considered replacing `Names.UniqueId()` entirely with `Names.uniqueResourceName()`. However, this is on hold due to concerns that existing Policy Names could be affected. If a complete replacement poses no issues, your guidance is appreciated, as I'm not fully versed in the logic behind these methods.

Closes aws#27409 , aws#24441 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p1
Projects
None yet
Milestone
No milestone
3 participants
@isacaraujo @DharmSonariya @peterwoodworth