feat(iam): validate role path at build time #16165
Conversation
0x007F is valid in the API document. However, role creation failed. Not sure if the document is not up-to-date or the API has a bug.
|
|
peterwoodworth
added
p2
effort/small
RomainMuller
force-pushed
the
master
branch
from
924c117 to
ebfd5f2
Compare
rix0rrr
added
feature-request
| const validRolePath = /^(\/|\/[\u0021-\u007F]+\/)$/; | ||
|
|
||
| if (path.length == 0 || path.length > 512) { | ||
| throw new Error(`role path is set to ${path}, but the length must be >= 1 and <= 512.`); |
There was a problem hiding this comment.
| throw new Error(`role path is set to ${path}, but the length must be >= 1 and <= 512.`); | |
| throw new Error(`Role path must be between 1 and 512 characters. The provided role path is ${path.length} characters.`); |
| if (path.length == 0 || path.length > 512) { | ||
| throw new Error(`role path is set to ${path}, but the length must be >= 1 and <= 512.`); | ||
| } else if (!validRolePath.test(path)) { | ||
| throw new Error(`role path is set to ${path}, but must match ${validRolePath.toString()}.`); |
There was a problem hiding this comment.
I'm not totally sure what the best error message is here but providing the regex itself here is not very user friendly. Perhaps you can describe the pattern needed instead of just using the regex. also, please capitalize the beginning of the sentence in the error message.
There was a problem hiding this comment.
I've added a bit more explanation. Updated in ea3a324
| }); | ||
| }); | ||
|
|
||
| test('must be between 1 chars and 512 chars', () => { |
There was a problem hiding this comment.
This may just be my preference here, but I'd prefer to only see one test case per test.
There was a problem hiding this comment.
Do you mean 1 expect statement in a test? Fixed in ea3a324
| const assumedBy = new ServicePrincipal('bla'); | ||
|
|
||
| new Role(stack, 'MyRole1', { assumedBy, path: '/' }); | ||
| new Role(stack, 'MyRole2', { assumedBy, path: '/p/a/t/h/' }); |
There was a problem hiding this comment.
It doesn't look like either of these roles are being used in this test.
There was a problem hiding this comment.
They are valid cases, When exceptions are raised, the test framework will catch them and make them fail tests. I made it explicit with expect statement in ea3a324
| .toThrow(expected('/' + Array(512).join('a') + '/')); | ||
| }); | ||
|
|
||
| test('must match regular expression', () => { |
There was a problem hiding this comment.
Same comment as the test above. One test case per test, please.
| return; | ||
| } | ||
|
|
||
| const validRolePath = /^(\/|\/[\u0021-\u007F]+\/)$/; |
There was a problem hiding this comment.
I'm hesitant to allow validation of a character that will throw an error. I've put a ticket in with the IAM team to double check this. Can you provide the specific validation error you get with /\u007F/ to help me look into this?
There was a problem hiding this comment.
That's great. I cannot investigate further on my side. A simple example with CDK is below. I've confirmed the same behavior with python client (boto3). I believe that the issue exists on IAM side.
import * as cdk from 'aws-cdk-lib';
import { aws_iam as iam } from 'aws-cdk-lib';
export class Example1Stack extends cdk.Stack {
constructor(scope: cdk.App, id: string, props: cdk.StackProps) {
super(scope, id, props);
const role = new iam.Role(this, "role", {
assumedBy: new iam.ServicePrincipal("lambda.amazonaws.com"),
path: "/\u007F/",
})
}
}Error messages
The stack named Example1Stack failed to deploy: UPDATE_ROLLBACK_COMPLETE: The specified value for path is invalid. It must begin and end with / and contain only alphanumeric characters and/or / characters. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: ValidationError; Request ID: 08690aa1-f05c-4830-964d-acd4b2a84532; Proxy: null)
As far as I checked, other control charcters (e.g. /\u0x7E/) work and other patterns with \u0x007F (e. g. /aaaa\u0x007Faaaaa/) fail.
TheRealAmazonKendra
added
pr-linter/exempt-readme
TheRealAmazonKendra
changed the title
github-actions
bot
added
effort/small
mergify
bot
dismissed
TheRealAmazonKendra’s stale review
Pull request has been modified.
|
Thanks for the review! Please have a look again. |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Role paths can be validated at build time. According to the [API document](https://docs.aws.amazon.com/IAM/latest/APIReference/API_Role.html), `u007F`, DELETE special char, is valid. However, the creation with a role path `/\u007F/` fails due to validation failure. I don't see any use case for the special char, so I ignored the discrepancy. closes aws#13747 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Role paths can be validated at build time.
According to the API document,
u007F, DELETE special char, is valid. However, the creation with a role path/\u007F/fails due to validation failure. I don't see any use case for the special char, so I ignored the discrepancy.closes #13747
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license