Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-iam: policy statements are trying to validate tokens #13479

Closed
cheng-kevin opened this issue Mar 8, 2021 · 3 comments · Fixed by #13493, linz/geostore#393, sullis/aws-cdk-java-example#66, thoughtworks/tramchester#254 or linz/elasticsearch-shipper#240
Closed

aws-iam: policy statements are trying to validate tokens #13479

cheng-kevin opened this issue Mar 8, 2021 · 3 comments · Fixed by #13493, linz/geostore#393, sullis/aws-cdk-java-example#66, thoughtworks/tramchester#254 or linz/elasticsearch-shipper#240
Assignees
@rix0rrr
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md needs-triage This issue or PR still needs to be triaged. p2

Comments

@cheng-kevin
Copy link

cheng-kevin commented Mar 8, 2021
edited by skinny85
Loading

❓ General Issue

Are IAM PolicyDocument Actions limited to string types? I am trying to reference a cloudformation parameter as my action.

 new iam.PolicyStatement({
      actions: [
         core.Fn.join('',
          [ core.Fn.ref(Parameters.myparameter, ':*' )]
      ],
      effect: iam.Effect.ALLOW,
      resources: [ '*' ] 
    }
)

The Question

Environment

  • CDK CLI Version:
  • Module Version:
  • Node.js Version:
  • OS:
  • Language (Version):

Other information
@cheng-kevin cheng-kevin added guidance Question that needs advice or information. needs-triage This issue or PR still needs to be triaged. labels Mar 8, 2021
@cheng-kevin cheng-kevin changed the title (module name): short issue description aws-iam: Are actions limited to string type? Mar 8, 2021
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Mar 8, 2021
@skinny85
Copy link
Contributor

skinny85 commented Mar 9, 2021
edited
Loading

Hey @cheng-kevin ,

looks like you're right - while usually in the CDK you can do things like:

        const myParameter = new cdk.CfnParameter(this, 'Param');
        new iam.PolicyStatement({
                actions: [
                    `${myParameter.value}:*`,
                ],
                effect: iam.Effect.ALLOW,
                resources: [ '*' ]
            }
        );

This results in the following error:

Action '${Token[Param.Ref.20]}:*' is invalid. An action string consists of a service namespace, a colon, and the name of an action. Action names can include wildcards.

Probably this code should check if action is a Token using the Token.isUnresolved() method.

@rix0rrr rix0rrr added bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p2 and removed guidance Question that needs advice or information. labels Mar 9, 2021
@rix0rrr rix0rrr changed the title aws-iam: Are actions limited to string type? aws-iam: policy statements are trying to validate tokens Mar 9, 2021
@rix0rrr
Copy link
Contributor

rix0rrr commented Mar 9, 2021

What @skinny85 said is accurate

@hollanddd hollanddd mentioned this issue Mar 9, 2021
Merged
@mergify mergify bot closed this as completed in #13493 Mar 10, 2021
mergify bot pushed a commit that referenced this issue Mar 10, 2021
@hollanddd
fix(iam): policy statement tries to validate tokens (#13493)
8d592ea 
Looking for guidance on error messaging and/or docs to update
Fixes #13479

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

This was referenced Mar 12, 2021
Merged
Merged
Merged
Closed
Closed
Closed
Closed
Closed
Merged
Closed
Merged
Closed
Closed
This was referenced Mar 14, 2021
Merged
Merged
Merged
Merged
Merged
Merged
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Merged
Merged
Merged
Closed
Closed
Closed
Closed
Merged
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md needs-triage This issue or PR still needs to be triaged. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(iam): policy statement tries to validate tokens hollanddd/aws-cdk
build(deps): bump aws-cdk from 1.92.0 to 1.93.0 linz/geostore
build(deps): bump cdk.version from 1.92.0 to 1.93.0 sullis/aws-cdk-java-example
[skip ci]: Bump aws-cdk from 1.91.0 to 1.93.0 thoughtworks/tramchester
build(deps-dev): bump aws-cdk from 1.92.0 to 1.93.0 linz/elasticsearch-shipper
Bump aws-cdk from 1.91.0 to 1.93.0 in /setTopicAttributes Milan9805/cdk-set-topic-attributes
Bump aws-cdk from 1.91.0 to 1.93.0 in /deployGenericSnsTopic Milan9805/cdk-set-topic-attributes
chore(deps): bump @aws-cdk-containers/ecs-service-extensions from 1.92.0 to 1.93.0 nikovirtala/cdk-preview-environments
chore(deps-dev): bump aws-cdk from 1.92.0 to 1.93.0 nikovirtala/cdk-preview-environments
chore(deps): bump @aws-cdk/assert from 1.92.0 to 1.93.0 nikovirtala/cdk-preview-environments
3 participants
@skinny85 @rix0rrr @cheng-kevin