Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stepfunctions-tasks: mediapackagevod service generates wrong action in role policy #28774

Closed
orekav opened this issue Jan 19, 2024 · 2 comments · Fixed by #28775
Closed

stepfunctions-tasks: mediapackagevod service generates wrong action in role policy #28774

orekav opened this issue Jan 19, 2024 · 2 comments · Fixed by #28775
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management @aws-cdk/aws-stepfunctions-tasks bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@orekav
Copy link
Contributor

orekav commented Jan 19, 2024

Describe the bug

Following code is properly creates a step in Step Functions

new sfn_tasks.CallAwsService(stack, 'DeleteMediaPackageVoDAsset', {
  service: 'mediapackagevod',
  action: 'deleteAsset',
  resultPath: sfn.JsonPath.DISCARD,
  iamResources: ['*'],
});

However, it creates wrong statement in the role policy.

        {
            "Action": "mediapackagevod:deleteAsset",
            "Resource": "*",
            "Effect": "Allow"
        }

Correct service prefix for MediaPackageVoD is mediapackage-vod.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackagevod.html

This issue is similar with #27573 and #28081.

Expected Behavior

Action should be mediapackage-vod:deleteAsset

Current Behavior

Action is mediapackagevod:deleteAsset

Reproduction Steps

Sample code for reproduction is below:

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import {
  aws_stepfunctions as sfn,
  aws_stepfunctions_tasks as sfn_tasks,
} from 'aws-cdk-lib';

export class SfnMediaPackageVoDStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const deleteAsset = new sfn_tasks.CallAwsService(stack, 'DeleteMediaPackageVoDAsset', {
      service: 'mediapackagevod',
      action: 'deleteAsset',
      resultPath: sfn.JsonPath.DISCARD,
      iamResources: ['*'],
    });
  
    new sfn.StateMachine(this, 'SimpleStateMachine', {
      definitionBody: sfn.DefinitionBody.fromChainable(deleteAsset)
    });
  }
}

Possible Solution

aws-cdk/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/aws-sdk/call-aws-service.ts

Additional Information/Context

No response

CDK CLI Version

2.122.0

Framework Version

No response

Node.js Version

v18.19.0

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response

@orekav orekav added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 19, 2024
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Jan 19, 2024
@orekav orekav changed the title (module name): (short issue description) stepfunctions-tasks: mediapackagevod service generates wrong action in role policy Jan 19, 2024
@pahud
Copy link
Contributor

pahud commented Jan 19, 2024

Thank you for the report and pull request.

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jan 19, 2024
@mergify mergify bot closed this as completed in #28775 Jan 31, 2024
mergify bot pushed a commit that referenced this issue Jan 31, 2024
…ion in role policy (#28775)

When we use CallAwsService for Step Functions task, CDK generates IAM policy to grant permission regarding the API call. However, if we specify `mediapackagevod` as service in CallAwsService, CDK generates wrong policy statement such as `mediapackagevod:deleteAsset`. Correct service prefix for MediaPackageVOD is `mediapackage-vod`.

https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackagevod.html

> Amazon MediaPackageVOD (service prefix: mediapackage-vod) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

This PR solves the issue by adding mediapackagevod into iamServiceMap. This is similar with #27623 and #28082.

Closes #28774.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

SankyRed pushed a commit that referenced this issue Feb 8, 2024
…ion in role policy (#28775)

When we use CallAwsService for Step Functions task, CDK generates IAM policy to grant permission regarding the API call. However, if we specify `mediapackagevod` as service in CallAwsService, CDK generates wrong policy statement such as `mediapackagevod:deleteAsset`. Correct service prefix for MediaPackageVOD is `mediapackage-vod`.

https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackagevod.html

> Amazon MediaPackageVOD (service prefix: mediapackage-vod) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

This PR solves the issue by adding mediapackagevod into iamServiceMap. This is similar with #27623 and #28082.

Closes #28774.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management @aws-cdk/aws-stepfunctions-tasks bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
2 participants