smithy icon indicating copy to clipboard operation
smithy copied to clipboard

Published 20 hours ago verified publisher icon smithy-lang

Inaccurate error message when referencing undefined IAM condition key

Open david-perez opened this issue 10 months ago • 3 comments

Consider this model where we forgot to define the pokemon-service:RegistrationDate IAM service condition key:

$version: "2.0"

namespace com.amazonaws.simple

use aws.protocols#restJson1
use aws.api#service
use aws.auth#sigv4
use aws.iam#defineConditionKeys
use aws.iam#conditionKeys
use aws.iam#conditionKeyValue
use smithy.framework#ValidationException

@restJson1
@service(
    sdkId: "Pokemon",
    arnNamespace: "pokemon-service"
)
@sigv4(name: "pokemon-service")
// @defineConditionKeys(
//     "pokemon-service:RegistrationDate": {
//         type: "Date"
//         documentation: "Date when the Pokémon species was first registered"
//     }
// )
service SimpleService {
    resources: [PokemonSpecies]
}

resource PokemonSpecies {
    identifiers: {
        name: String
    }
    read: GetPokemonSpecies
}

@readonly
@http(uri: "/pokemon-species/{name}", method: "GET")
@conditionKeys(["pokemon-service:RegistrationDate"])
operation GetPokemonSpecies {
    input := {
        @required
        @httpLabel
        name: String
    }
    errors: [ValidationException]

}

The error message reads:

──  simple  ERROR  ─────────────────────────────────────────────── ConditionKeys
Shape: com.amazonaws.simple#GetPokemonSpecies
File:  /home/ANT.AMAZON.COM/davidpz/code/smithy-ws/src/SmithyRsSource/codegen-server-test/../codegen-core/common-test-models/simple.smithy:39:1

36| @readonly
37| @http(uri: "/pokemon-species/{name}", method: "GET")
38| @conditionKeys(["pokemon-service:RegistrationDate"])
39| operation GetPokemonSpecies {
  | ^

This operation scoped within the `com.amazonaws.simple#SimpleService` service
refers to an undefined condition key `pokemon-service:RegistrationDate`.
Expected one of the following defined condition keys:
[`pokemon-service:PokemonSpeciesName`]

But pokemon-species:PokemonSpeciesName is not a condition key. This set seems to be containing resource IDs too.

david-perez avatar Apr 04 '24 15:04 david-perez

From the specification on deriving condition keys:

A resource's condition keys include those that are inferred from their identifiers, including the resource's ancestors, and those applied via the aws.iam#conditionKeys trait trait. Condition keys for resource identifiers are automatically inferred unless explicitly configured not to via the aws.iam#disableConditionKeyInference trait trait.

kstich avatar Apr 04 '24 15:04 kstich

Isn't deriving a condition key from a resource id superfluous? It's a condition key whose value is identical to the value of the resource id in the request. Why not use the resource id directly then?

david-perez avatar Apr 04 '24 16:04 david-perez

Yes, it is. This functionality has been in place for quite some time, however, so we adjusted aws.iam#disableConditionKeyInference to be applicable at the service level.

kstich avatar Apr 05 '24 17:04 kstich