Giter Site home page Giter Site logo

Comments (3)

pahud avatar pahud commented on June 10, 2024 1

This is because iam.User.fromUserArn() does not return the principalAccount correctly.

PoC

export class DummyStack extends Stack {
  constructor(scope: Construct, id: string, props: StackProps) {
    super(scope, id, props);

    const externalIamUser = 'arn:aws:iam::123456789012:user/OthersExternalIamUser';
    const externalIamRole = 'arn:aws:iam::123456789012:role/OthersExternalIamUser';
    const granteeUser = iam.User.fromUserArn(this, 'OthersExternalIamUser', externalIamUser)
    const granteeRole = iam.Role.fromRoleArn(this, 'OthersExternalIamRole', externalIamRole)
    new CfnOutput(this, 'principalAccountUser', { value: granteeUser.grantPrincipal.principalAccount! })
    new CfnOutput(this, 'principalAccountRole', { value: granteeRole.grantPrincipal.principalAccount! })
  }
}

Outputs:
dummy-stack2.principalAccountRole = 123456789012
dummy-stack2.principalAccountUser = <your_own_account>

see the different implementation between fromUserArn() and fromRoleArn().

We are getting the pricipal account with the Aws.ACCOUNT_ID which presumes always the same account and that is the root cause of this bug.

Making this a p1 bug.

from aws-cdk.

khushail avatar khushail commented on June 10, 2024

Hi @wbertore , Thanks for reaching out. It is highly suggested to use the latest CDK version. Neverthelss, Looks like with the latest cdk version 2.139 and with cdk 2.77, I am able to successfully synth and deploy the code with external user policy created .

export class GrantPublishStack extends cdk.Stack {
  public readonly mytopic : ITopic;
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    this.mytopic = new Topic(this, 'MyTopic', {
      displayName: 'MyTopic',
    });

    this.mytopic.grantPublish(User.fromUserArn(this, 'OtherExternaluser', 'arn:aws:iam::55**********:user/admin'));
  }
}

This is the synth template which has the policy for the external user mentioned in the code -


{
 "Resources": {
  "MyTopic86869434": {
   "Type": "AWS::SNS::Topic",
   "Properties": {
    "DisplayName": "MyTopic"
   },
   "Metadata": {
    "aws:cdk:path": "GrantPublishStack/MyTopic/Resource"
   }
  },
  "OtherExternaluserPolicyCD96E322": {
   "Type": "AWS::IAM::Policy",
   "Properties": {
    "PolicyDocument": {
     "Statement": [
      {
       "Action": "sns:Publish",
       "Effect": "Allow",
       "Resource": {
        "Ref": "MyTopic86869434"
       }
      }
     ],
     "Version": "2012-10-17"
    },
    "PolicyName": "OtherExternaluserPolicyCD96E322",
    "Users": [
     "admin"
    ]
   },
   "Metadata": {
    "aws:cdk:path": "GrantPublishStack/OtherExternaluser/Policy/Resource"
   }
  },
  "CDKMetadata": {
   "Type": "AWS::CDK::Metadata",
   "Properties": {
    "Analytics": "v2:deflate64:H4sIAAAAAAAA/03IPQ7CMAxA4bN0TwwpC8y9ACrdUXCC5P7YqE5BKMrdoXRhep9eDe5wgn3lX2oxDHakG+RL8jiY77pmZYXcyYPQNHf+oRjyE+SzjITv9W4qxbRRZZkxrvPfjXCgRMLFsIQIve6e7giuBlf1SmTnhRNNEdqtH+S0s/2VAAAA"
   },
   "Metadata": {
    "aws:cdk:path": "GrantPublishStack/CDKMetadata/Default"
   },
   "Condition": "CDKMetadataAvailable"
  }
 },

Snippet for the successful deployment with CDK 2.77 -
Screenshot 2024-04-30 at 1 35 39 PM

However I see some policy missing in the console, despite being successful. Diving deep to get to the root cause of what could be going wrong.

from aws-cdk.

pahud avatar pahud commented on June 10, 2024

By the way, it's generally not recommended using IAM user like that but IAM role is always recommended. While this is a bug we need to fix, is there any reason you have to use iam.User rather than iam.Role?

from aws-cdk.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.