aws-secure-environment-accelerator icon indicating copy to clipboard operation
aws-secure-environment-accelerator copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

[BUG][Functional] Customer-managed IAM Policies can't be assigned to IAM groups

Open jh-kainos opened this issue 2 years ago • 3 comments

Bug reports which fail to provide the required information will be closed without action.

Required Basic Info

  • Accelerator Version: v1.5.0
  • Install Type: Clean
  • Upgrade from version: N/A

Describe the bug I have a customer who is trying to create a customer-managed policy and assign it to an IAM group, but the State Machine fails when it's run. The IAM policy does get created by the ASEA, but fails to assign it to the group due to a NoSuchEntity error. The state machine eventually fails and performs rollback and the policy is deleted again.

Failure Info

Policy arn:aws:iam::aws:policy/MyPolicy does not exist or is not attachable. (Service: AmazonIdentityManagement; Status Code: 404; Error Code: NoSuchEntity; Request ID: *****; Proxy: null)

Please note that it appears to reference the ARN of the CM policy without an account number (treating it like an AWS managed policy?)

Required files

  • Please provide a copy of your config.json file (sanitize if required)

I don't have access to the customer's config.json right now but can get later if required.

Steps To Reproduce

  1. Define a policy and assign it to a group in config.json:
"users": [
    {
      "user-ids": ["user1"],
      "group": "Systems",
      "policies": ["MyPolicy"],
      "boundary-policy": "Default-Boundary-Policy"
    }
  ],
  "policies": [
    {
      "policy-name": "MyPolicy",
      "policy": "my-policy.json"
    }
  ],
  1. Upload my-policy.json to the Accelerator artifact bucket
  2. Run the state machine

Expected behavior

  1. The IAM group Systems should be created
  2. The customer-managed IAM policy MyPolicy should be attached to the group

Additional context I have taken a look at the code and think I might know where the issue lies, but I'm not terribly familiar with the code base. On this line in this file: https://github.com/aws-samples/aws-secure-environment-accelerator/blob/ecc13cce5376d9c18a403075c2012ddc45c2002d/src/deployments/cdk/src/common/iam-assets.ts#L77

const iamGroup = new iam.Group(this, `IAM-Group-${groupName}-${accountKey}`, {
  groupName,
  managedPolicies: policies.map(x => iam.ManagedPolicy.fromAwsManagedPolicyName(x)),
});

This block of code only references AWS managed policy when creating an IAM group, which might explain the lack of account number in the ARN above.

jh-kainos avatar Mar 07 '22 09:03 jh-kainos

Hi, You need to put the policy in a sub-folder named: "iam-policy" and it should work. The only thing we load from the root folder is the config file on first SM execution - otherwise all custom files need to be in a sub-folder: image

Hope this helps!

Brian969 avatar Mar 07 '22 13:03 Brian969

Hi @Brian969

Sorry, I should have clarified. The customer is putting the policy in iam-policy/ and can see it created in IAM (until the state machine fails and performs rollback). It fails when trying to assign the policy to the IAM group.

jh-kainos avatar Mar 07 '22 14:03 jh-kainos

~~Likely related to issue #939~~

Brian969 avatar Mar 15 '22 20:03 Brian969

Did not implement

archikierstead avatar Nov 30 '23 15:11 archikierstead