Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-cdk-lib/aws-stepfunctions-tasks: Issue with incorrectly generated IAM policy. #30862

Closed
msaphire opened this issue Jul 15, 2024 · 6 comments · Fixed by #30896 · May be fixed by NOUIY/aws-solutions-constructs#114
Closed

aws-cdk-lib/aws-stepfunctions-tasks: Issue with incorrectly generated IAM policy. #30862

msaphire opened this issue Jul 15, 2024 · 6 comments · Fixed by #30896 · May be fixed by NOUIY/aws-solutions-constructs#114
Assignees
@ashishdhingra
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p3

Comments

@msaphire
Copy link

Describe the bug

I am working on writing a CDK based step function with a task to call 'tagresources' on an EFS access point:

const tagAccessPoint = new CallAwsService(this, 'TagAccessPoint', {
            stateName: 'Tag access point',
            service: 'efs',
            action: 'tagResource',
            iamResources: ['*'],
            parameters: {
                ResourceId: JsonPath.stringAt('$.pathToArn'),
                Tags: [
                    {
                        Key: "MYTAGNAME",
                        Value: JsonPath.stringAt('$.pathToId')
                    }
                ]
            },
            resultPath: JsonPath.DISCARD
        })

Produces an incorrect a IAM policy snippet.

Expected Behavior

It should be (ref):

{
    "Action": "elasticfilesystem:tagResource",
    "Resource": "*",
    "Effect": "Allow"
}

Current Behavior

Produces:

{
    "Action": "efs:tagResource",
    "Resource": "*",
    "Effect": "Allow"
}

Which is incorrect, it should be (ref):

Reproduction Steps

Create the following task as part of a CDK defined state machine:

const tagAccessPoint = new CallAwsService(this, 'TagAccessPoint', {
            stateName: 'Tag access point',
            service: 'efs',
            action: 'tagResource',
            iamResources: ['*'],
            parameters: {
                ResourceId: JsonPath.stringAt('$.pathToArn'),
                Tags: [
                    {
                        Key: "MYTAGNAME",
                        Value: JsonPath.stringAt('$.pathToId')
                    }
                ]
            },
            resultPath: JsonPath.DISCARD
        })

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.147.2

Framework Version

No response

Node.js Version

20

OS

macOS

Language

TypeScript

Language Version

TypeScript (5.4.2)

Other information

No response
@msaphire msaphire added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 15, 2024
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Jul 15, 2024
@ashishdhingra ashishdhingra self-assigned this Jul 15, 2024
@ashishdhingra ashishdhingra added needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels Jul 15, 2024
@ashishdhingra
Copy link
Contributor

Reproducible using below code:

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks';

export class Issue30862Stack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const callAwsServiceTask = new tasks.CallAwsService(this, 'TagEfsAccessPoint', {
      stateName: 'Tag access point',
      service: 'efs',
      action: 'tagResource',
      iamResources: ['*'],
      parameters: {
        ResourceId: sfn.JsonPath.stringAt('$.pathToArn'),
        Tags: [
            {
                Key: "MYTAGNAME",
                Value: sfn.JsonPath.stringAt('$.pathToId')
            }
        ]
      },
      resultPath: sfn.JsonPath.DISCARD
    });

    const stateMachine = new sfn.StateMachine(this, 'MyStateMachine', {
      definition: callAwsServiceTask.next(new sfn.Succeed(this, "GreetedWorld"))
    });
  }
}

Running cdk synth generates the following CloudFormation template:

Resources:
  MyStateMachineRoleD59FFEBC:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: states.amazonaws.com
        Version: "2012-10-17"
    Metadata:
      aws:cdk:path: Issue30862Stack/MyStateMachine/Role/Resource
  MyStateMachineRoleDefaultPolicyE468EB18:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: efs:tagResource
            Effect: Allow
            Resource: "*"
        Version: "2012-10-17"
      PolicyName: MyStateMachineRoleDefaultPolicyE468EB18
      Roles:
        - Ref: MyStateMachineRoleD59FFEBC
    Metadata:
      aws:cdk:path: Issue30862Stack/MyStateMachine/Role/DefaultPolicy/Resource
  MyStateMachine6C968CA5:
    Type: AWS::StepFunctions::StateMachine
    Properties:
      DefinitionString:
        Fn::Join:
          - ""
          - - '{"StartAt":"Tag access point","States":{"Tag access point":{"Next":"GreetedWorld","Type":"Task","ResultPath":null,"Resource":"arn:'
            - Ref: AWS::Partition
            - :states:::aws-sdk:efs:tagResource","Parameters":{"ResourceId.$":"$.pathToArn","Tags":[{"Key":"MYTAGNAME","Value.$":"$.pathToId"}]}},"GreetedWorld":{"Type":"Succeed"}}}
      RoleArn:
        Fn::GetAtt:
          - MyStateMachineRoleD59FFEBC
          - Arn
    DependsOn:
      - MyStateMachineRoleDefaultPolicyE468EB18
      - MyStateMachineRoleD59FFEBC
    UpdateReplacePolicy: Delete
    DeletionPolicy: Delete
    Metadata:
      aws:cdk:path: Issue30862Stack/MyStateMachine/Resource
...

Per TagResource, the operation requires permissions for the elasticfilesystem:TagResource action.

Possible root cause:

  • Per code here, it uses ${iamService}:${props.action} to add IAM policy action.
    • iamService is resolved here based on condition iamServiceMap[props.service] ?? props.service.
    • iamServiceMap perhaps maintains list of services having mapping to service names, for scenarios where props.service doesn't map to service name (like in current scenario). In current implementation, the logic would fall back to using props.service, which is efs.

Possible fix:
Possible fix is to add mapping efs: 'elasticfilesystem' to iamServiceMap here.

WorkAround:
Explicitly specify CallAwsServiceProps.iamAction as elasticfilesystem:TagResource. Verifies using code below:

const callAwsServiceTask = new tasks.CallAwsService(this, 'TagEfsAccessPoint', {
      stateName: 'Tag access point',
      service: 'efs',
      action: 'tagResource',
      iamResources: ['*'],
      iamAction: 'elasticfilesystem:TagResource',
      parameters: {
        ResourceId: sfn.JsonPath.stringAt('$.pathToArn'),
        Tags: [
            {
                Key: "MYTAGNAME",
                Value: sfn.JsonPath.stringAt('$.pathToId')
            }
        ]
      },
      resultPath: sfn.JsonPath.DISCARD
    });

and it works:

...
  MyStateMachineRoleDefaultPolicyE468EB18:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: elasticfilesystem:TagResource
            Effect: Allow
            Resource: "*"
        Version: "2012-10-17"
      PolicyName: MyStateMachineRoleDefaultPolicyE468EB18
      Roles:
        - Ref: MyStateMachineRoleD59FFEBC
    Metadata:
      aws:cdk:path: Issue30862Stack/MyStateMachine/Role/DefaultPolicy/Resource
...

@ashishdhingra ashishdhingra added effort/small Small work item – less than a day of effort p3 and removed needs-reproduction This issue needs reproduction. labels Jul 15, 2024
@ashishdhingra ashishdhingra removed their assignment Jul 15, 2024
@ashishdhingra ashishdhingra added the good first issue Related to contributions. See CONTRIBUTING.md label Jul 15, 2024
@ishon19
Copy link

ishon19 commented Jul 16, 2024

Hi @ashishdhingra, I would like to work on this issue!

@ashishdhingra
Copy link
Contributor

Hi @ashishdhingra, I would like to work on this issue!

@ishon19 Thanks for your reply. I will most likely submit PR for this issue soon. :)

@ishon19
Copy link

ishon19 commented Jul 16, 2024

@ishon19 Thanks for your reply. I will most likely submit PR for this issue soon. :)

Yeah, sure! =)

@ashishdhingra ashishdhingra self-assigned this Jul 18, 2024
@ashishdhingra ashishdhingra mentioned this issue Jul 18, 2024
Merged
1 task
This was referenced Jul 22, 2024
Closed
Closed
@mergify mergify bot closed this as completed in #30896 Jul 29, 2024
@mergify mergify bot closed this as completed in 31808b4 Jul 29, 2024
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

1 similar comment
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ashishdhingra ashishdhingra

Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p3
Projects
None yet
Milestone
No milestone
3 participants
@ishon19 @msaphire @ashishdhingra