-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove principal type AWS from IAM policy wildcard normalization #4248
Remove principal type AWS from IAM policy wildcard normalization #4248
Conversation
Test results
|
I think this is a good idea, but we should add some additional user-facing documentation surrounding the various principal behaviors on the MAINTAINER NOTE: This will require a NOTE callout in the CHANGELOG, preferably linking to the above documentation enhancements |
@bflad, added new section in docs about wildcard principals |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @spirius! I think this is a good change to get in as it is technically more correct/expected behavior. I will write up a note in the CHANGELOG regarding this change as its bound to cause some initial confusion for those depending on the old behavior.
This has been released in version 1.19.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
The normalized IAM policies for wildcard principals are not accepted by IAM when used as trust policy for roles. According to AWS IAM doc it should be fine, but in practice IAM returns
MalformedPolicyDocument: AssumeRolepolicy contained an invalid principal: "STAR":"*"
error.Basically following terraform code doesn't work, because it normalizes principal to
"Principal": "*"
, and it is not possible to get{"Principal": {"AWS": *}}
in rendered policy when usingaws_iam_policy_document
data sourceWithout normalization it works as expected:
The PR removes principal type "AWS" from normalization.