Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(iam): managed-policy can again be granted actions on resources #33115

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

QuantumNeuralCoder
Copy link

Closes #32795.

Reason for this change

Before this change, ManagedPolicy explicitly throw and error for statements like following for TableV2. This was supported in v2.131.

    const table = TableV2.fromTableArn(
      this,
      'Table',
      arnForTable,
    );
    table.grantReadWriteData(policy);

Description of changes

What code changes did you make?

policyFragment

now returns and empty PrincipalPolicyFragment. This enables the user to attach actions to policies. The generated CFN template will now contain the required actions, effects and resources blocks. It will still require the app to attach this policy to a Principal, user or role for it to work.

Have you made any important design decisions?
See above.

What AWS use cases does this change enable? To enable the use cases, which AWS service features are utilized?
Restores parity with a feature until 2.131 which allowed CDK apps to grant actions on resources to generate Policy Fragments for managed resources.

Describe any new or updated permissions being added

None

Description of how you validated changes

Yes to Both.
Integration test has been majorly refactored to do deployment checks as well in addition to the CFN checks.

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added the p2 label Jan 24, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team January 24, 2025 02:01
@github-actions github-actions bot added the beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK label Jan 24, 2025
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@rix0rrr rix0rrr added pr-linter/exempt-codecov The PR linter will not require codecov checks to pass and removed pr-linter/exempt-codecov The PR linter will not require codecov checks to pass labels Jan 24, 2025
@QuantumNeuralCoder QuantumNeuralCoder changed the title fix(iam): ManagedPolicy can again be granted actions on resources fix(iam): managed-policy can again be granted actions on resources Jan 27, 2025
@aws-cdk-automation aws-cdk-automation dismissed their stale review January 27, 2025 18:17

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation added pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. labels Jan 27, 2025
Copy link

codecov bot commented Jan 27, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.78%. Comparing base (3e4f377) to head (1abd6b4).
Report is 126 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main   #33115      +/-   ##
==========================================
- Coverage   81.48%   80.78%   -0.70%     
==========================================
  Files         226      232       +6     
  Lines       13768    14111     +343     
  Branches     2416     2453      +37     
==========================================
+ Hits        11219    11400     +181     
- Misses       2271     2431     +160     
- Partials      278      280       +2     
Flag Coverage Δ
suite.unit 80.78% <ø> (-0.70%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
packages/aws-cdk 79.51% <ø> (-1.38%) ⬇️
packages/aws-cdk-lib/core 82.17% <ø> (+0.07%) ⬆️

Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter fails with the following errors:

❌ CodeCov is indicating a drop in code coverage

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

@aws-cdk-automation aws-cdk-automation dismissed their stale review January 27, 2025 18:46

Dismissing outdated PRLinter review.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 1abd6b4
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jan 27, 2025
@@ -336,7 +336,8 @@ class ManagedPolicyGrantPrincipal implements IPrincipal {
// This property is referenced to add policy statements as a resource-based policy.
// We should fail because a managed policy cannot be used as a principal of a policy document.
// cf. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#Principal_specifying
throw new Error(`Cannot use a ManagedPolicy '${this._managedPolicy.node.path}' as the 'Principal' or 'NotPrincipal' in an IAM Policy`);
// I32795: Restoring a previous feature where a grant for a managed policy would generate policy document with actions as a CDK feature. This managed policy needs to be attached to a role or principal for it to be used meaningfully.
return new PrincipalPolicyFragment({});
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason tableV2.grantX(someManagedPolicy) started throwing error is due to this line:

return Grant.addToPrincipalOrResource({

Down the call path of tableV2.grantX(someManagedPolicy), addToPrincipalOrResource gets called at some point and it does the following:

  1. It adds permission to the principal (in this case, it adds permission to someManagedPolicy).
  2. It checks if the principal and resource are in different account. If so, it updates the resource based policy to allow the principal to access the resource (in this case, it would try to add the someManagedPolicy principal to the tableV2 resource based policy.)

In step 2, when CDK tries to assemble the correct resource based policy, that is where the error is thrown. The intention of the code seems to be that, a Policy or Managed Policy is not a principal, hence throw an error (in other words, it is not possible to allow a Policy to access a resource. You can only allow an identity, aka principal, to access a resource). Logically, this makes sense. It is also explained in the PR that added this line: #22712 (comment)
(The reason this worked for S3 Bucket is because buckets are global resources, therefore, CDK assumes a bucket is in the same account as the principal and skip step 2.)


With the above thinking, I think we should update the code in class Grant where it throws a warning if the code is trying to get the principals out of a not-real-principal (i.e. Managed Policy, Policy, Group), then skip adding resource based policy. The warning should notify customers that resource based policy will not be added (which is what customers would normally expect.)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Crossposting analysis from the original issue. The problem is with how import resolves differently for Bucket vs TableV2. The new resources creation usecase passes correctly.

I think this will fix the other usecases where the imports are "inconsistent". Also was trying to avoid warnings.
Allowing grants on managed policy doesnt mean anything unless its attached to a principal or user or role.

TableName: this.resourceStack.table.tableName,
},
}));
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The assertions seem to check CFN created the resources correctly. These should be CFN service assertions imo. In CDK integ tests, I think it is more important to check if CDK added the correct permissions that the integration need. In other words, we should invoke the infrastructure somehow to trigger runtime execution that exercises the permission added by CDK.

Copy link
Author

@QuantumNeuralCoder QuantumNeuralCoder Jan 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. This particular check is to check for regressions in future where resource creation might be affected through a change. I can add a check with a managed policy attachment. Let me do that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK p2
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants