(aws-iam): Minimizing assume policies with conditions results in error #28713
Description
Describe the bug
When using the AWS CDK with the "@aws-cdk/aws-iam:minimizePolicies": true setting, an error is encountered when creating a Role with a PrincipalWithConditions. The error suggests that the principals in a PolicyStatement must have the same conditions, even though they do have the same conditions.
Expected Behavior
The AWS CDK should successfully create a Role with a PrincipalWithConditions, even when the "@aws-cdk/aws-iam:minimizePolicies" setting is set to true. The conditions specified for the principals in the PolicyStatement should be correctly merged without causing an error.
Current Behavior
The following error is throw:
Error: Resolution error: Resolution error: Resolution error: All principals in a PolicyStatement must have the same Conditions (got '{}' and '{"StringEquals":{"aws:SourceAccount":"${Token[AWS.AccountId.3]}"}}'). Use multiple statements instead..
Object creation stack:
at stack traces disabled..
at PolicyStatement.addPrincipalConditions (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:7201)
at PolicyStatement.addPrincipals (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:2407)
at new PolicyStatement (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:663)
at PolicyStatement.copy (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:6086)
at mergeIfCombinable (.../node_modules/aws-cdk-lib/aws-iam/lib/private/merge-statements.js:1:1847)
at onePass (.../node_modules/aws-cdk-lib/aws-iam/lib/private/merge-statements.js:1:1032)
at mergeStatements (.../node_modules/aws-cdk-lib/aws-iam/lib/private/merge-statements.js:1:660)
at PolicyDocument._maybeMergeStatements (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-document.js:1:3033)
at PolicyDocument.resolve (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-document.js:1:1755)
at RememberingTokenResolver.resolveToken (.../node_modules/aws-cdk-lib/core/lib/resolvable.js:1:1401)
Reproduction Steps
const principal = new PrincipalWithConditions(
new ServicePrincipal("scheduler.amazonaws.com"),
{
StringEquals: {
"aws:SourceAccount": Stack.of(this).account,
},
}
);
const role = new Role(this, "Role", {
assumedBy: principal,
});
role.assumeRolePolicy?.addStatements(
new PolicyStatement({
effect: Effect.ALLOW,
principals: [principal],
actions: ["sts:AssumeRole"],
})
);Possible Solution
I think the issue might originate from here main/packages/aws-cdk-lib/aws-iam/lib/private/merge-statements.ts:54, but I can't pinpoint it exactly.
Additional Information/Context
It's worth noting that this issue has downstream effects, impacting the functionality of aws-scheduler-targets when using the same lambda with two schedulers.
const func = new Function(this, "Function", {
code: Code.fromInline("exports.handler = () => {}"),
handler: "index.handler",
runtime: Runtime.NODEJS_18_X,
});
new Schedule(this, "Schedule1", {
schedule: ScheduleExpression.cron({}),
target: new LambdaInvoke(func, {}),
});
new Schedule(this, "Schedule2", {
schedule: ScheduleExpression.cron({}),
target: new LambdaInvoke(func, {}),
});CDK CLI Version
2.121.1
Framework Version
No response
Node.js Version
18.19.0
OS
macOS 14.2.1
Language
TypeScript
Language Version
No response
Other information
No response