feat(iam): Assume role actions #16725
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
simonireilly
changed the title
peterwoodworth
changed the title
github-actions
bot
added
the
@aws-cdk/aws-iam
rix0rrr
previously requested changes
Oct 27, 2021
simonireilly
force-pushed
the
feat-15908-assume-role-actions
branch
from
ba0868b to
2ac6cb3
Compare
simonireilly
commented
Oct 27, 2021
simonireilly
commented
Oct 27, 2021
| @@ -141,6 +151,25 @@ export abstract class PrincipalBase implements IPrincipal { | |||
| public withConditions(conditions: Conditions): IPrincipal { | |||
| return new PrincipalWithConditions(this, conditions); | |||
| } | |||
|
|
|||
| /** | |||
There was a problem hiding this comment.
My thoughts here are that it would be very difficult to change the public API of all the Principals.
However, that might be a better long term solution.
Additionally another approach would be to not attempt to support extension at all, and just create a new class e.g. PrincipalWithAssumeRoleActions.
Please give some advise 👍
simonireilly
commented
Oct 27, 2021
| @@ -486,7 +486,12 @@ export interface IRole extends IIdentity { | |||
| function createAssumeRolePolicy(principal: IPrincipal, externalIds: string[]) { | |||
| const statement = new AwsStarStatement(); | |||
| statement.addPrincipals(principal); | |||
| statement.addActions(principal.assumeRoleAction); | |||
|
|
|||
| if (Array.isArray(principal.assumeRoleActions) && principal.assumeRoleActions.length > 1) { | |||
There was a problem hiding this comment.
Given we have assumeRoleActions, which includes more than just the base assumeRoleAction then we would favour the full set of actions from the array, instead of the single action.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
2 tasks
rix0rrr
added a commit
that referenced
this pull request
Nov 24, 2021
To allow session tagging, the `sts:TagSession` permission needs to be added to the role's AssumeRolePolicyDocument. Introduce a new principal which enables this, and add a convenience method `.withSessionTags()` to the `PrincipalBase` class so all built-in principals will have this convenience method by default. To build this, we had to get rid of some cruft and assumptions around policy documents and statements, and defer more power to the `IPrincipal` objects themselves. In order not to break existing implementors, introduce a new interface `IAssumeRolePrincipal` which knows how to add itself to an AssumeRolePolicyDocument and gets complete freedom doing so. That same new interface could be used to lift some old limitations on `CompositePrincipal` so did that as well. Fixes #15908, closes #16725, fixes #2041, fixes #1578.
|
Hi @simonireilly, thanks for the submission. I got inspired while reviewing this and figured it's long past time to lift some old limitations. I decided to try and tackle this differently. Have a look at this and see if this would solve the problem for you: #17689 |
Awesome! Let's close this draft, I look forward to using this feature, thanks @rix0rrr |
mergify bot
pushed a commit
that referenced
this pull request
Dec 16, 2021
To allow session tagging, the `sts:TagSession` permission needs to be added to the role's AssumeRolePolicyDocument. Introduce a new principal which enables this, and add a convenience method `.withSessionTags()` to the `PrincipalBase` class so all built-in principals will have this convenience method by default. To build this, we had to get rid of some cruft and assumptions around policy documents and statements, and defer more power to the `IPrincipal` objects themselves. In order not to break existing implementors, introduce a new interface `IAssumeRolePrincipal` which knows how to add itself to an AssumeRolePolicyDocument and gets complete freedom doing so. That same new interface could be used to lift some old limitations on `CompositePrincipal` so did that as well. Fixes #15908, closes #16725, fixes #2041, fixes #1578. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
TikiTDO
pushed a commit
to TikiTDO/aws-cdk
that referenced
this pull request
Feb 21, 2022
To allow session tagging, the `sts:TagSession` permission needs to be added to the role's AssumeRolePolicyDocument. Introduce a new principal which enables this, and add a convenience method `.withSessionTags()` to the `PrincipalBase` class so all built-in principals will have this convenience method by default. To build this, we had to get rid of some cruft and assumptions around policy documents and statements, and defer more power to the `IPrincipal` objects themselves. In order not to break existing implementors, introduce a new interface `IAssumeRolePrincipal` which knows how to add itself to an AssumeRolePolicyDocument and gets complete freedom doing so. That same new interface could be used to lift some old limitations on `CompositePrincipal` so did that as well. Fixes aws#15908, closes aws#16725, fixes aws#2041, fixes aws#1578. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fixes #15908
Description
Assume role policies can have a string array of actions.
To support this, if the principal has the optional attribute:
Then it is used as the actions, in the created AssumeRolePolicy.
The default behaviour; of a string being assigned, is not changed.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license