Adding multiple principals role using assumeRolePolicy.addStatements override conditions #3227
Description
-
I'm submitting a ...
- 🪲 bug report
-
What is the current behavior?
When Adding multiple conditional principals to the same PolicyStatment which has same conditions key will result in only one of the conditions:
if (role.assumeRolePolicy) {
role.assumeRolePolicy.addStatements(
new PolicyStatement({
principals: [
new ServicePrincipal('myService.amazon.com', {
conditions: {
StringEquals: {
hairColor: 'blond',
pet: 'cat'
}
}
}),
new ServicePrincipal('yourservice.amazon.com', {
conditions: {
StringEquals: {
hairColor: 'black'
}
}
})
]
}));
} will result in this template:
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "sqs.amazonaws.com"
}
},
{
"Condition": {
"StringEquals": {
"hairColor": "black"
}
},
"Effect": "Allow",
"Principal": {
"Service": [
"myService.amazon.com",
"yourservice.amazon.com"
]
}
}
],
"Version": "2012-10-17"
}This is because the conditions are added to a map in the statement which causes the first added role conditions to be override:
public addConditions(conditions: {[key: string]: any}) {
Object.keys(conditions).map(key => {
this.addCondition(key, conditions[key]);
});
}Adding each principal in it's own statement results in the correct behavior, If this is the expected behavior maybe it will be better to not allow multiple conditioned principals add to a single statement (like in the composite principals)
-
Please tell us about your environment:
- CDK CLI Version: 1.0
- Module Version: 1.0