Aws-cdk: Unable to build multi-principal Policy with Role

Created on 17 Nov 2018 · 12Comments · Source: aws/aws-cdk

I am trying to create a role with the following policy document:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "${aws_iam_role.eks_nodes.arn}",
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

The problem, however, is that the Role construct only takes a single entity for assumedBy.

const defaultPodRole = new iam.Role(this, "default-pod-role", {
        roleName: "default",
        path: "/pods/",
        assumedBy: new iam.ServicePrincipal("ec2.amazonaws.com"),
      })

I tried pulling out the assumeRolePolicy but its statements member is private, and that would involve digging around in the statements array anyway.

export declare class PolicyDocument extends Token {
    private readonly baseDocument?;
    private statements;

This workaround produces a role/policy/trust setup that collapses to the same interpretation, but the resulting document is not the same.

    const role = new iam.Role(this, 'Role', {
      assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
    });
    if ( role.assumeRolePolicy ) {
      role.assumeRolePolicy.addStatement(new iam.PolicyStatement().
        addAccountRootPrincipal().
        addAction('sts:AssumeRole'));
    }

The resulting document is this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456123456:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

@aws-cdaws-iam bug feature-request

Source

ijcd

👍6

Most helpful comment

According to https://github.com/aws/aws-cdk/pull/1377, the way to do this is by using a CompositePrincipal object. (Surely changing Role.assumed_by to accept a list or adding a new method to Role would've been more obvious).

E.g. In Python:

pipeline_role = aws_iam.Role(
    scope=self, id=f'pipeline-role',
    role_name='pipeline',
    assumed_by=aws_iam.CompositePrincipal(
        aws_iam.ServicePrincipal('datapipeline.amazonaws.com'),
        aws_iam.ServicePrincipal('elasticmapreduce.amazonaws.com')
    )
)

alastairmccormack on 9 Oct 2019

❤11 👍6 👎1

All 12 comments

This is indeed a limitation. Technically we can provide an implementation of PolicyPrincipal that will allow combining multiple principals.

@ijcd can you share a bit more details about your use case? Why do you need this?

eladb on 19 Nov 2018

@eladb https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-permissions.html#lambda-edge-permissions-function-execution recommends using two principals

eamonnfaherty on 29 Nov 2018

Thanks @eamonnfaherty, exactly what I was after.

eladb on 29 Nov 2018

Is there any progress in this issue? I do also need this feature to connect my API Gateway directly to an DynmoDB Table. 😥

deen13 on 3 Dec 2018

@deen13 PR pending

eladb on 17 Dec 2018

❤1

To be honest for the example I specified I would like to see that working via a construct.

Generally, allowing a role to be assumed by two services is a sign that the author is breaking least privileged principle.

eamonnfaherty on 17 Dec 2018

@deen13 can you provide some reference to your use case please?

eladb on 17 Dec 2018

https://github.com/eamonnfaherty Nevertheless, we rather not be opinionated in the low level IAM library. Higher level AWS constructs synthesize policies based on least privilege but if users want to define less restrictive policies for some reason they should be able to do that with the CDK.

eladb on 17 Dec 2018

Fair enough.

eamonnfaherty on 17 Dec 2018

E.g. In Python:

pipeline_role = aws_iam.Role(
    scope=self, id=f'pipeline-role',
    role_name='pipeline',
    assumed_by=aws_iam.CompositePrincipal(
        aws_iam.ServicePrincipal('datapipeline.amazonaws.com'),
        aws_iam.ServicePrincipal('elasticmapreduce.amazonaws.com')
    )
)

alastairmccormack on 9 Oct 2019

❤11 👍6 👎1

@eladb Use case system manager automation document.

Here the example provides ssm and ec2 service principals.

It's also in the Systems Manager user guide.

I also was only able to resolve this by searching and finding this Github issue.

It would be easier if this was better documented in the docs itself for assumed_by in Role.

0xjjoyy on 17 Dec 2019

Another example:

    const dmsAccessForEndpointRole = new iam.Role(this, 'DmsAccessForEndpointRole', {
      roleName: 'dms-access-for-endpoint',
      assumedBy: dmsServicePrincipal,
    });
    dmsAccessForEndpointRole.assumeRolePolicy?.addStatements(
      new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        principals: [new iam.ServicePrincipal('redshift.amazonaws.com')],
        actions: ['sts:AssumeRole'],
      }),
    );