(IAM): (Adding multiple AccountPrincipal to a trust policy role) #30185
Comments
awsrookie18
added
bug
github-actions
bot
added
the
@aws-cdk/aws-iam
khushail
added
the
investigating
|
@khushail I think found one of the solution to do this but it is working half of what i am expecting `const role = new iam.Role(this, 'role', { role.assumeRolePolicy?.addStatements(new iam.PolicyStatement({ or this code This kind of solve the problem but here again the JSON will be "AWS": [ "53674143", "25682590", "67690013"] |
|
Hi @awsrookie18 , thanks for reaching out. I am not sure that removing complete arn and just keeping the account id would be good idea. AFAIK, Complete arn would help aws in identifying the principal arn however keeping only the value might not be correct approach for implementation. There are multiple ways of adding principals. This one mentioned here is also executable and works fine and produces the same synthesized template as given below . I tried another simpler way of adding multiple principals (as you also shared) with using Composite principal and it worked fine as its supposed to do. Sharing the code and generated template - code - Template - Here is CDK doc on how multiple principals can be added using Hope that helps in clarification! |
khushail
added
guidance
|
Hi @khushail Yes this does get the job done. But we have many accountid's to be provisioned and we are looking for cutting down the length as we have already crossed 4KB max length. "Principal" : { So for that reason i was looking for only accountid to be part of this principal and makes things easier for us. |
Oh, I see that. Thanks for sharing that article. Let me do investigate this one and get back to you. |
khushail
added
investigating
|
Not sure about the link you shared. This created a single policy statement for each account. What i am looking for is single policy statement with multiple AWS account as an array. Now only thing that i am confused is https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#Principal_specifying this and achieving this with CDK. Thank you for taking the time to investigate this. 👍 |
|
@awsrookie18 , I don't see any way of getting the result in form of array as mentioned here. This might be a good feature request so marking it as one. Contribution from the community are welcome!! |
khushail
added
p2
feature-request
khushail
removed
guidance
|
You can implement a custom class like this: export class CustomPrincipal extends iam.PrincipalBase {
constructor(public readonly arn: string[]) {
super();
}
public get policyFragment(): iam.PrincipalPolicyFragment {
return new iam.PrincipalPolicyFragment({ AWS: this.arn });
}
public dedupeString(): string | undefined {
return undefined
}
}
export class DummyStack extends Stack {
constructor(scope: Construct, id: string, props: StackProps) {
super(scope, id, props);
const trustedAccounts = ['111111111111', '222222222222'];
new iam.Role(this, 'Role', {
assumedBy: new CustomPrincipal(trustedAccounts)
});
}
}You get this on synth: Resources:
Role1ABCC5F0:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS:
- "111111111111"
- "222222222222"
Version: "2012-10-17"Let me know if it works for you. |
pahud
added
the
response-requested
|
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
github-actions
bot
added
the
closing-soon
github-actions
bot
removed
the
closing-soon
github-actions
bot
added
the
closed-for-staleness
Describe the bug
We are having issues with policy length of 4kb limit and earlier we were creating single object for each aws acount.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<account2>:root" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<account1>:root" }, "Action": "sts:AssumeRole" } ] }Because of the limit issue we now want to go ahead with array of account id's in a single object
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": ["<accountid1>", "<accountid2>"] }, "Action": "sts:AssumeRole" } ] }But the CDK construct expects only a string and not an array. But it is possible to do it via AWS console.
Tried using the latest AWS CDK version but no help.
Does anybody have any solution?
Expected Behavior
Through CDK we want to achieve multiple aws accounts in a single array.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": ["<accountid1>", "<accountid2>"] }, "Action": "sts:AssumeRole" } ] }Current Behavior
It creates separate objects for separate accountid's. This is creating problem with policy length.
Reproduction Steps
Tried multiple ways but no luck
const compositePrincipal = new cdk.aws_iam.CompositePrincipal( ...accountsToAllowAssumedBy.map((account) => new cdk.aws_iam.AccountPrincipal(account)) //Spread Operator (...) );const policyStatement = new cdk.aws_iam.PolicyStatement({actions: ["sts:AssumeRole"], effect: Effect.ALLOW }) policyStatement.addAwsAccountPrincipal('246597006913'); policyStatement.addAwsAccountPrincipal('344777163811');Currently no approaches are working.
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.141.0
Framework Version
No response
Node.js Version
18
OS
windows
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: