Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-iam: spillover customer managed policy tag support #31343

Open
2 tasks
jarridkleinfelter opened this issue Sep 6, 2024 · 1 comment
Open
2 tasks

aws-iam: spillover customer managed policy tag support #31343

jarridkleinfelter opened this issue Sep 6, 2024 · 1 comment
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@jarridkleinfelter
Copy link

jarridkleinfelter commented Sep 6, 2024
edited
Loading

Describe the feature

IAM inline policy includes spillover for inline IAM policies that exceed maximum length. Spillover creates overflow policies of type customer managed. Result is main inline policy is tagged, but overflow customer managed policy is not. Add tag propagation support for spillover policy.

Use Case

Resource created without tag propagation affect downstream pipeline validation rules being used in cloudformation guard

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

latest

Environment details (OS name and version, etc.)

All

Sample CDK code snippet which generates overflow
` iam_role = aws_iam.Role(
self,
'IamRole',
role_name = 'Quality_Assurance',
max_session_duration = Duration.hours(12),
assumed_by = aws_iam.FederatedPrincipal(
f'arn:aws:iam::{self.account}:saml-provider/AzureAD',
{ 'StringEquals': { 'SAML:aud': 'https://signin.aws.amazon.com/saml' } },
'sts:AssumeRoleWithSAML'
)
)

Then we have a bunch of statements like the following to add permissions.
iam_role.add_to_policy(aws_iam.PolicyStatement(
actions = [
'dynamodb:*Item',
'dynamodb:Query',
'dynamodb:Scan'
],
resources = [
f'arn:aws:dynamodb:{self.region}:{self.account}:table/made-up-name-1',
f'arn:aws:dynamodb:{self.region}:{self.account}:table/made-up-name-2',
f'arn:aws:dynamodb:{self.region}:{self.account}:table/made-up-name-3,
f'arn:aws:dynamodb:{self.region}:{self.account}:table/made-up-name-4'
]
))
`
@jarridkleinfelter jarridkleinfelter added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Sep 6, 2024
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Sep 6, 2024
This was referenced Sep 9, 2024
Open
Open
@pahud
Copy link
Contributor

pahud commented Sep 9, 2024

Thank you for bringing it up. Off the top of my head, I guess this would need CFN's support. Please help us prioritize with 👍

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Sep 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @jarridkleinfelter