Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws iam: cannot modify trust relationship of imported role #23471

Closed
2 tasks
aradyaron opened this issue Dec 27, 2022 · 2 comments
Closed
2 tasks

aws iam: cannot modify trust relationship of imported role #23471

aradyaron opened this issue Dec 27, 2022 · 2 comments
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management p3

Comments

@aradyaron
Copy link

Describe the feature

Currently there is no way to add a new role to a trust relationship to an imported role.
The solution suggested in the issue #22550 cannot work as there is no 'assume_role_policy' in an imported role, regardless of immutability.

As I am using the python cdk library, there are multiple levels of abstraction as well.

Use Case

I have a mediator role inside my Stack in my main region X, which will be assumed by a regional role that exists in all my regional stacks.
I want to import the main mediator role on the other stacks (using from_role_arn), and allow specifically to the regional stack role to assume, by adding only it to the mediator role trust policy.

Proposed Solution

Either:

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

python aws-cdk-lib 2.54.0

Environment details (OS name and version, etc.)

Python
@aradyaron aradyaron added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Dec 27, 2022
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Dec 27, 2022
@peterwoodworth
Copy link
Contributor

We cannot implement this because you cannot modify imported resources in CDK

Although you can use an external resource anywhere you'd use a similar resource defined in your AWS CDK app, you cannot modify it. For example, calling addToResourcePolicy (Python: add_to_resource_policy) on an external s3.Bucket does nothing.

To modify the trust policy on an imported role, CDK would need a way to modify that role, which it doesn't because the role is not defined in the application in which you are trying to modify the role. In other words, CDK would need a way to modify the CloudFormation template which has defined the role.

The way to work around this would be to use a custom resource to modify the policy. If you need any direction in that, let me know, and we can convert this issue to a discussion.

@peterwoodworth peterwoodworth added closing-soon This issue will automatically close in 4 days unless further comments are made. and removed feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Dec 27, 2022
@peterwoodworth peterwoodworth changed the title aws iam: (short issue description) aws iam: cannot modify trust relationship of imported role Dec 27, 2022
@aradyaron
Copy link
Author

Thanks for the offer, I would like that. I think it would be beneficial to me as well as to others.
Please note that this however is still limited, as currently the aws api support only full replacement of the trust policy.
This means parallel deployment (for example different regions) can still cause an unwanted behavior of overriding.
Is it possible for a solution to cover this issue as well?

@github-actions github-actions bot removed the closing-soon This issue will automatically close in 4 days unless further comments are made. label Dec 28, 2022
@aws aws locked and limited conversation to collaborators Dec 28, 2022
@peterwoodworth peterwoodworth converted this issue into discussion #23486 Dec 28, 2022

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management p3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rix0rrr @peterwoodworth @aradyaron @ashishdhingra