cdk bootstrap fails with Access Denied due to conditional explicit deny in IAM policy #27622
Comments
AliceLeyou
added
bug
|
The only explanation would be that the condition is in effect. I can't tell from here whether your condition should be taking effect or not, either way I don't think that would be a CDK issue as this error is being thrown due to lack of permissions. Either way, I don't see where this policy block came from in the first place or why it would be a bug if it didn't work since this is undocumented to begin with |
peterwoodworth
added
response-requested
|
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
github-actions
bot
added
closing-soon
|
@AliceLeyou did you end up solving this issue? We added a policy to force everyone to setup MFA. Even after setting it up (and by doing so, gaining access to all of the permissions we have in another policy), cdk still fails here. @peterwoodworth can this be reopened? The ForceMFS policy (taken from AWS docs) : {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/*"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:GetMFADevice",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}And after setting up MFA: The cdk fails with this error:
And as you can see from the user's access advisor the user has access to it and even tried to access it today: So the condition is met when using the console, but not using CDK. |
Describe the bug
Bootstrapping fails with a user that has all required IAM permissions, when the user is also assigned a policy statement with a conditional explicit deny. In this case we have a policy that restricts access if the account isn't protected with MFA device. Even though the condition isn't in effect.
Expected Behavior
I expected the CDK to successfully bootstrap as the statement that contains the explicit deny isn't in effect.
Current Behavior
Reproduction Steps
Create an IAM user that has permissions for a cdk bootstrap (in my case not full access but a least privilege list I've found here #21937) and assign a policy with the following statement. As soon as the policy containing this statement was removed, the bootstrap was successful.
MFA policy statement:
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.101.1 (build 16ddad1)
Framework Version
No response
Node.js Version
v18.12.1
OS
Microsoft Windows 10 Pro
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: