Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-iam: Allow string | string[] in FederatedPrincipal assumeRoleAction #15908

Closed
1 of 2 tasks
simonireilly opened this issue Aug 5, 2021 · 6 comments · Fixed by #17689
Closed
1 of 2 tasks

aws-iam: Allow string | string[] in FederatedPrincipal assumeRoleAction #15908

simonireilly opened this issue Aug 5, 2021 · 6 comments · Fixed by #17689
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1

Comments

@simonireilly
Copy link
Contributor

Allow string | string[] in FederatedPrincipal.

This is required when using cognito with principal tag mapping.

Use Case

AWS has a brief video explaining the use case here: https://www.youtube.com/watch?v=tAUmz94O2Qo

The use case is that, if a cognito user from a user pool is authenticated, then their claims can be forwarded to the policy document to allow for fine-grained access control e.g.

    /**
     * Policy that enables a tenant to access their entire org's data
     */
    const tenantPolicy = new PolicyStatement({
      sid: "AllowPrecedingKeysToDynamoDBOrganisation",
      effect: Effect.ALLOW,
      actions: [
        "dynamodb:GetItem",
        "dynamodb:Query"
      ],
      resources: [
        table.tableArn
      ],
      conditions: {
        "ForAllValues:StringLike": {
          "dynamodb:LeadingKeys": [
            "${aws:PrincipalTag/org}#*"
          ]
        }
      },
    })

In order to support deploying FederatedPrincipal policies via @aws-cdk/aws-iam which use sts:TagSession and sts:AssumeRoleWithWebIdentity currently this work around is required:

    const role = new iam.Role(this, "IdentityPoolAuthRole", {
      assumedBy: new iam.FederatedPrincipal(
        "cognito-identity.amazonaws.com",
        {
          StringEquals: {
            "cognito-identity.amazonaws.com:aud": identityPool.ref,
          },
          "ForAnyValue:StringLike": {
            "cognito-identity.amazonaws.com:amr": "authenticated",
          },
        },
        // @ts-ignore
        [
          "sts:AssumeRoleWithWebIdentity",
          "sts:TagSession"
        ] as string
      ),
    });

The underlying base principal supports having the this.assumeRoleAction set as a string array, but the allowed types have been restricted on the child class

aws-cdk/packages/@aws-cdk/aws-iam/lib/principals.ts

Lines 426 to 442 in fdce08c

export class FederatedPrincipal extends PrincipalBase {
public readonly assumeRoleAction: string;
/**
*
* @param federated federated identity provider (i.e. 'cognito-identity.amazonaws.com' for users authenticated through Cognito)
* @param conditions The conditions under which the policy is in effect.
* See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
*/
constructor(
public readonly federated: string,
public readonly conditions: Conditions,
assumeRoleAction: string = 'sts:AssumeRole') {
super();
this.assumeRoleAction = assumeRoleAction;
}

Proposed Solution

aws-cdk/packages/@aws-cdk/aws-iam/lib/principals.ts

Line 427 in fdce08c

public readonly assumeRoleAction: string;

Is update to

public readonly assumeRoleAction: string | string[];

Other

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request
@simonireilly simonireilly added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Aug 5, 2021
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Aug 5, 2021
@simonireilly simonireilly mentioned this issue Aug 5, 2021
Open
@rix0rrr
Copy link
Contributor

rix0rrr commented Aug 10, 2021

Your proposed solution will not work, as string | string[] is not allowable by jsii.

But I agree this should be fixed, probably by adding a new field assumeRoleActions?: string[] and requiring that users supply either one or the other.

@rix0rrr rix0rrr added effort/small Small work item – less than a day of effort p1 and removed needs-triage This issue or PR still needs to be triaged. labels Aug 10, 2021
@rix0rrr rix0rrr removed their assignment Aug 10, 2021
@simonireilly
Copy link
Contributor Author

Thanks @rix0rrr , I am not familiar with jsii internals, so that helps 👍

@simonireilly simonireilly mentioned this issue Sep 30, 2021
Closed
@Dachmian
Copy link

@simonireilly Any ETA on the PR and release that fixes this issue? We currently need this functionality in our project and are using the workaround proposed here

@simonireilly
Copy link
Contributor Author

@simonireilly Any ETA on the PR and release that fixes this issue? We currently need this functionality in our project and are using the workaround proposed here

PR is open, awaiting comments: #16725

It's a fix, but not ideal. I think the other option is to rewrite entire IPrincipal to take a string[] instead of string in assume role action and publish under a feature flag.

Awaiting comments for @rix0rrr

This was referenced Nov 14, 2021
Open
Closed
rix0rrr added a commit that referenced this issue Nov 24, 2021
@rix0rrr
feat(iam): enable session tagging
742538e 
To allow session tagging, the `sts:TagSession` permission needs to
be added to the role's AssumeRolePolicyDocument.

Introduce a new principal which enables this, and add a convenience
method `.withSessionTags()` to the `PrincipalBase` class so all
built-in principals will have this convenience method by default.

To build this, we had to get rid of some cruft and assumptions around
policy documents and statements, and defer more power to the
`IPrincipal` objects themselves. In order not to break existing
implementors, introduce a new interface `IAssumeRolePrincipal` which
knows how to add itself to an AssumeRolePolicyDocument and gets complete
freedom doing so.

That same new interface could be used to lift some old limitations on
`CompositePrincipal` so did that as well.

Fixes #15908, closes #16725, fixes #2041, fixes #1578.
@rix0rrr rix0rrr mentioned this issue Nov 24, 2021
Merged
@mergify mergify bot closed this as completed in #17689 Dec 16, 2021
mergify bot pushed a commit that referenced this issue Dec 16, 2021
@rix0rrr
feat(iam): session tagging (#17689)
9f22b2f 
To allow session tagging, the `sts:TagSession` permission needs to
be added to the role's AssumeRolePolicyDocument.

Introduce a new principal which enables this, and add a convenience
method `.withSessionTags()` to the `PrincipalBase` class so all
built-in principals will have this convenience method by default.

To build this, we had to get rid of some cruft and assumptions around
policy documents and statements, and defer more power to the
`IPrincipal` objects themselves. In order not to break existing
implementors, introduce a new interface `IAssumeRolePrincipal` which
knows how to add itself to an AssumeRolePolicyDocument and gets complete
freedom doing so.

That same new interface could be used to lift some old limitations on
`CompositePrincipal` so did that as well.

Fixes #15908, closes #16725, fixes #2041, fixes #1578.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@Dachmian
Copy link

Much obliged🙌

TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
@rix0rrr @TikiTDO
feat(iam): session tagging (aws#17689)
2b894b9 
To allow session tagging, the `sts:TagSession` permission needs to
be added to the role's AssumeRolePolicyDocument.

Introduce a new principal which enables this, and add a convenience
method `.withSessionTags()` to the `PrincipalBase` class so all
built-in principals will have this convenience method by default.

To build this, we had to get rid of some cruft and assumptions around
policy documents and statements, and defer more power to the
`IPrincipal` objects themselves. In order not to break existing
implementors, introduce a new interface `IAssumeRolePrincipal` which
knows how to add itself to an AssumeRolePolicyDocument and gets complete
freedom doing so.

That same new interface could be used to lift some old limitations on
`CompositePrincipal` so did that as well.

Fixes aws#15908, closes aws#16725, fixes aws#2041, fixes aws#1578.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@lobanov lobanov mentioned this issue Jul 22, 2024
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(iam): session tagging aws/aws-cdk
feat(iam): Assume role actions simonireilly/aws-cdk
3 participants
@rix0rrr @Dachmian @simonireilly