Skip to content

Commit 67e83d1

Browse files
horike37horike37
authored
Merge pull request #607 from jormaechea/eventbridge-scheduler-permissions-fix
fix: added missing support for IAM PassRole of tasks that create Even…
2 parents 48c6bb0 + 84e6648 commit 67e83d1

File tree

2 files changed

+12
-4
lines changed

2 files changed

+12
-4
lines changed

lib/deploy/stepFunctions/compileIamRole.js

+5
Original file line numberDiff line numberDiff line change
@@ -563,6 +563,7 @@ function getEventBridgePermissions(state) {
563563

564564
function getEventBridgeSchedulerPermissions(state) {
565565
const scheduleGroupName = state.Parameters.GroupName;
566+
const scheduleTargetRoleArn = state.Parameters.Target.RoleArn;
566567

567568
return [
568569
{
@@ -574,6 +575,10 @@ function getEventBridgeSchedulerPermissions(state) {
574575
],
575576
},
576577
},
578+
{
579+
action: 'iam:PassRole',
580+
resource: scheduleTargetRoleArn,
581+
},
577582
];
578583
}
579584

lib/deploy/stepFunctions/compileIamRole.test.js

+7-4
Original file line numberDiff line numberDiff line change
@@ -3722,7 +3722,7 @@ describe('#compileIamRole', () => {
37223722
]);
37233723
});
37243724

3725-
it('should give event bridge scheduler createSchedule permissions', () => {
3725+
it('should give event bridge scheduler createSchedule and passRole permissions', () => {
37263726
const genStateMachine = id => ({
37273727
id,
37283728
definition: {
@@ -3765,14 +3765,17 @@ describe('#compileIamRole', () => {
37653765
.provider.compiledCloudFormationTemplate.Resources.StateMachine1Role
37663766
.Properties.Policies[0].PolicyDocument.Statement;
37673767

3768-
const eventPermissions = statements.filter(s => _.isEqual(s.Action, ['scheduler:CreateSchedule']));
3769-
expect(eventPermissions[0].Resource).to.has.lengthOf(1);
3770-
expect(eventPermissions[0].Resource).to.deep.eq([{
3768+
const schedulerPermissions = statements.filter(s => _.isEqual(s.Action, ['scheduler:CreateSchedule']));
3769+
expect(schedulerPermissions[0].Resource).to.has.lengthOf(1);
3770+
expect(schedulerPermissions[0].Resource).to.deep.eq([{
37713771
'Fn::Sub': [
37723772
'arn:${AWS::Partition}:scheduler:${AWS::Region}:${AWS::AccountId}:schedule/${scheduleGroupName}/*',
37733773
{ scheduleGroupName: 'MyScheduleGroup' },
37743774
],
37753775
}]);
3776+
const rolePermissions = statements.filter(s => _.isEqual(s.Action, ['iam:PassRole']));
3777+
expect(rolePermissions[0].Resource).to.has.lengthOf(1);
3778+
expect(rolePermissions[0].Resource).to.deep.eq(['arn:aws:iam::${AWS::AccountId}:role/MyIAMRole']);
37763779
});
37773780

37783781
it('should handle permissionsBoundary', () => {

0 commit comments

Comments
 (0)