fix(iam): grantAssumeRole silently fails with service and account pri…

…ncipals (#29452) ### Issue #24507 ### Reason for this change grantAssumeRole silently fails if a Service Principal or Account Principal is used which led me to a false assumption about the correctness of a role's permission scope ### Description of changes This change will throw an error if a Service Principal is used. I was unable to find a way to accomplish the same behavior for Account Principals. Documentation was updated to help guide a user to the appropriate function usage for Service and Account Principals. ### Description of how you validated changes * Added a unit test * This change required me to re-run two unrelated snapshot tests which were throwing errors outside of the scope of this change. *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Apr 2, 2024 · 36fd79d · 36fd79d
1 parent a12887b
commit 36fd79d
Show file tree

Hide file tree

Showing 18 changed files with 226 additions and 90 deletions.
diff --git a/....managed-policy.js.snapshot/ManagedPolicyIntegDefaultTestDeployAssert27007DC6.assets.json b/....managed-policy.js.snapshot/ManagedPolicyIntegDefaultTestDeployAssert27007DC6.assets.json
diff --git a/...test/aws-iam/test/integ.managed-policy.js.snapshot/aws-cdk-iam-managed-policy.assets.json b/...test/aws-iam/test/integ.managed-policy.js.snapshot/aws-cdk-iam-managed-policy.assets.json
diff --git a/...ws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/cdk.out b/...ws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/cdk.out
diff --git a/...cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/integ.json b/...cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/integ.json
diff --git a/...-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/manifest.json b/...-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/manifest.json
diff --git a/...-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/tree.json b/...-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/tree.json
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.ts
@@ -25,6 +25,7 @@ user.addManagedPolicy(policy3);
 
 const role = new Role(stack, 'Role', { assumedBy: new AccountRootPrincipal() });
 role.grantAssumeRole(policy.grantPrincipal);
+
 Grant.addToPrincipal({ actions: ['iam:*'], resourceArns: [role.roleArn], grantee: policy2 });
 
 policy.attachToRole(role);

diff --git a/...-iam/test/integ.policy.js.snapshot/PolicyIntegDefaultTestDeployAssert274BB918.assets.json b/...-iam/test/integ.policy.js.snapshot/PolicyIntegDefaultTestDeployAssert274BB918.assets.json
diff --git a/...framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.assets.json b/...framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.assets.json
diff --git a/...amework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.template.json b/...amework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.template.json
@@ -3,16 +3,11 @@
   "MyUserDC45028B": {
    "Type": "AWS::IAM::User"
   },
-  "HelloPolicyD59007DF": {
+  "MyUserDefaultPolicy7B897426": {
    "Type": "AWS::IAM::Policy",
    "Properties": {
     "PolicyDocument": {
      "Statement": [
-      {
-       "Action": "sqs:SendMessage",
-       "Effect": "Allow",
-       "Resource": "*"
-      },
       {
        "Action": "sts:AssumeRole",
        "Effect": "Allow",
@@ -26,6 +21,27 @@
      ],
      "Version": "2012-10-17"
     },
+    "PolicyName": "MyUserDefaultPolicy7B897426",
+    "Users": [
+     {
+      "Ref": "MyUserDC45028B"
+     }
+    ]
+   }
+  },
+  "HelloPolicyD59007DF": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sqs:SendMessage",
+       "Effect": "Allow",
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    },
     "PolicyName": "Default",
     "Users": [
      {

diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/cdk.out
diff --git a/...es/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/integ.json b/...es/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/integ.json
diff --git a/...@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/manifest.json b/...@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/manifest.json