Comments (3)
This is because iam.User.fromUserArn()
does not return the principalAccount
correctly.
PoC
export class DummyStack extends Stack {
constructor(scope: Construct, id: string, props: StackProps) {
super(scope, id, props);
const externalIamUser = 'arn:aws:iam::123456789012:user/OthersExternalIamUser';
const externalIamRole = 'arn:aws:iam::123456789012:role/OthersExternalIamUser';
const granteeUser = iam.User.fromUserArn(this, 'OthersExternalIamUser', externalIamUser)
const granteeRole = iam.Role.fromRoleArn(this, 'OthersExternalIamRole', externalIamRole)
new CfnOutput(this, 'principalAccountUser', { value: granteeUser.grantPrincipal.principalAccount! })
new CfnOutput(this, 'principalAccountRole', { value: granteeRole.grantPrincipal.principalAccount! })
}
}
Outputs:
dummy-stack2.principalAccountRole = 123456789012
dummy-stack2.principalAccountUser = <your_own_account>
see the different implementation between fromUserArn() and fromRoleArn().
We are getting the pricipal account with the Aws.ACCOUNT_ID which presumes always the same account and that is the root cause of this bug.
Making this a p1 bug.
from aws-cdk.
Hi @wbertore , Thanks for reaching out. It is highly suggested to use the latest CDK version. Neverthelss, Looks like with the latest cdk version 2.139 and with cdk 2.77, I am able to successfully synth and deploy the code with external user policy created .
export class GrantPublishStack extends cdk.Stack {
public readonly mytopic : ITopic;
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
this.mytopic = new Topic(this, 'MyTopic', {
displayName: 'MyTopic',
});
this.mytopic.grantPublish(User.fromUserArn(this, 'OtherExternaluser', 'arn:aws:iam::55**********:user/admin'));
}
}
This is the synth template which has the policy for the external user mentioned in the code -
{
"Resources": {
"MyTopic86869434": {
"Type": "AWS::SNS::Topic",
"Properties": {
"DisplayName": "MyTopic"
},
"Metadata": {
"aws:cdk:path": "GrantPublishStack/MyTopic/Resource"
}
},
"OtherExternaluserPolicyCD96E322": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "sns:Publish",
"Effect": "Allow",
"Resource": {
"Ref": "MyTopic86869434"
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "OtherExternaluserPolicyCD96E322",
"Users": [
"admin"
]
},
"Metadata": {
"aws:cdk:path": "GrantPublishStack/OtherExternaluser/Policy/Resource"
}
},
"CDKMetadata": {
"Type": "AWS::CDK::Metadata",
"Properties": {
"Analytics": "v2:deflate64:H4sIAAAAAAAA/03IPQ7CMAxA4bN0TwwpC8y9ACrdUXCC5P7YqE5BKMrdoXRhep9eDe5wgn3lX2oxDHakG+RL8jiY77pmZYXcyYPQNHf+oRjyE+SzjITv9W4qxbRRZZkxrvPfjXCgRMLFsIQIve6e7giuBlf1SmTnhRNNEdqtH+S0s/2VAAAA"
},
"Metadata": {
"aws:cdk:path": "GrantPublishStack/CDKMetadata/Default"
},
"Condition": "CDKMetadataAvailable"
}
},
Snippet for the successful deployment with CDK 2.77 -
However I see some policy missing in the console, despite being successful. Diving deep to get to the root cause of what could be going wrong.
from aws-cdk.
By the way, it's generally not recommended using IAM user like that but IAM role is always recommended. While this is a bug we need to fix, is there any reason you have to use iam.User rather than iam.Role?
from aws-cdk.
Related Issues (20)
- EFS: support setting the AZ when setting up a oneZone FileSystem HOT 3
- ❗ NOTICE (lambda): importing `Functions` with `fromFunctionArn` removes trailing version or alias from ARN HOT 2
- (custom-resources): After failed update of AwsCustomResource, log stream ID is passed to onDelete, causing it to get stuck HOT 3
- aws_signer: Adding tags to stack containing signing profile causes errors on deployment HOT 3
- (pipes): Add EventBridge Pipes event delivery VPC Endpoint Service HOT 1
- Monthly issue metrics report HOT 1
- Monthly PR metrics report HOT 1
- aws-stepfunctions-tasks: Add cpu and memory parameters to EcsRunTask HOT 5
- (cloudfront): allow setting autoPublish to false for CloudFront functions HOT 3
- MAKE CLOUDFORMATION ROLLBACKS FASTER AND DONT BLOCK SUBSEQUENTIAL DEPLOYMENTS HOT 3
- (aws-logs): Add metric methods for log group IncomingLogEvents and IncomingBytes HOT 1
- cdk.Fn: improve conditionEquals parameters types HOT 1
- (ses): enable setting vdmOptions in `ConfigurationSet` HOT 1
- (aws-ec2): Instance resourceSignalTimeout overwrites initOptions.timeout HOT 2
- Register new region: ca-west-1 HOT 4
- (core/stack): stack.tags does not do anything HOT 3
- CfnInsightRule and TagManager: Duplicate tag key/value pair leads to INVALID_TAG issue HOT 2
- OpenSearch: EBSOptions.Iops and EBSOptions.VolumeSize type should be `int` HOT 2
- Q Business: Add L1 Constructs HOT 2
- aws-cdk: success and failure lambdas for state machines are being duplicated in iam roles HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-cdk.