Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IAM: ArnPrincipal withSessionTags depends on order. #28426

Closed
kaiz-io opened this issue Dec 19, 2023 · 2 comments · Fixed by #28510
Closed

IAM: ArnPrincipal withSessionTags depends on order. #28426

kaiz-io opened this issue Dec 19, 2023 · 2 comments · Fixed by #28510
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@kaiz-io
Copy link
Contributor

kaiz-io commented Dec 19, 2023

Describe the bug

Order matters if you are using withConditions and withSessionTags on an ArnPrincipal.

WithConditions will always work but it appears withSessionTags has to go last.

Expected Behavior

That it would not matter the order in which you call the methods that both modifications would occur.

Current Behavior

If you use withSessionTags then use withConditions there is no sts:SessionTag.
If you use withConditions then use withConditions there is sts:SessionTag.

Reproduction Steps

// Works as withSessionTags comes after withCondition
new ArnPrincipal(
      cdk.Arn.format({
        service: 'iam',
        account: '123456789012',
        resource: 'role',
        resourceName: roletoassume',
        region: '',
        partition: 'aws',
      }),
    ).withConditions(
      {
        'StringEquals': {
          'aws:PrincipalTag/Tag1': 'value1',
          'aws:PrincipalTag/Tag2': 'value2',
        }
      }
    ).withSessionTags();

// Does not work (there is no sts:SessionTags in the resulting policy) as withSessionTags comes before withCondition
new ArnPrincipal(
      cdk.Arn.format({
        service: 'iam',
        account: '123456789012',
        resource: 'role',
        resourceName: roletoassume',
        region: '',
        partition: 'aws',
      }),
    ).withSessionTags().withConditions(
      {
        'StringEquals': {
          'aws:PrincipalTag/Tag1': 'value1',
          'aws:PrincipalTag/Tag2': 'value2',
        }
      }
    );

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.115.0

Framework Version

No response

Node.js Version

18.17.1

OS

Ubuntu 22.04 - Linux

Language

TypeScript

Language Version

No response

Other information

No response
@kaiz-io kaiz-io added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 19, 2023
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Dec 19, 2023
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. p2 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Dec 19, 2023
@khushail
Copy link
Contributor

@kaizio , thanks for reporting this.

@lpizzinidev lpizzinidev mentioned this issue Dec 28, 2023
Merged
sumupitchayan added a commit to lpizzinidev/aws-cdk that referenced this issue Dec 28, 2023
@sumupitchayan
Merge branch 'main' into awsgh-28426
d8589fa
mergify bot added a commit to lpizzinidev/aws-cdk that referenced this issue Dec 30, 2023
@mergify
Merge branch 'main' into awsgh-28426
087fed2
kaizencc added a commit to lpizzinidev/aws-cdk that referenced this issue Dec 30, 2023
@kaizencc
Merge branch 'main' into awsgh-28426
7a9bbc4
mergify bot added a commit to lpizzinidev/aws-cdk that referenced this issue Dec 30, 2023
@mergify
Merge branch 'main' into awsgh-28426
f3dae83
@mergify mergify bot closed this as completed in #28510 Dec 30, 2023
mergify bot pushed a commit that referenced this issue Dec 30, 2023
@lpizzinidev
fix(iam): withConditions overrides Principal actions (#28510)
0b345c5 
Calling `withConditions` after `withSessionTags` will override the existing `sts:TagSession` action for the statement.
This implementation fixes the issue.

Closes #28426.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot mentioned this issue Jan 1, 2024
Closed
paulhcsun pushed a commit to paulhcsun/aws-cdk that referenced this issue Jan 5, 2024
@lpizzinidev @paulhcsun
fix(iam): withConditions overrides Principal actions (aws#28510)
454ce16 
Calling `withConditions` after `withSessionTags` will override the existing `sts:TagSession` action for the statement.
This implementation fixes the issue.

Closes aws#28426.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(iam): withConditions overrides Principal actions lpizzinidev/aws-cdk
2 participants
@kaiz-io @khushail