stepfunctions-tasks: mwaa service generates wrong action in role policy #28081

tam0ri · 2023-11-21T04:00:33Z

Describe the bug

Following code is properly creates a step in Step Functions

const listEnvs = new sfn_tasks.CallAwsService(stack, 'ListMWAAEnvironments', {
  service: 'mwaa',
  action: 'listEnvironments',
  resultPath: sfn.JsonPath.DISCARD,
  iamResources: ['*'],
});

However, it creates wrong statement in the role policy.

        {
            "Action": "mwaa:listEnvironments",
            "Resource": "*",
            "Effect": "Allow"
        }

Correct service prefix for MWAA is airflow.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedworkflowsforapacheairflow.html

Amazon Managed Workflows for Apache Airflow (service prefix: airflow) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

This issue is similar with #27573.

Expected Behavior

Action should be airflow:listEnvironments

Current Behavior

Action is mwaa:listEnvironments

Reproduction Steps

Sample code for reproduction is below:

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import {
  aws_stepfunctions as sfn,
  aws_stepfunctions_tasks as sfn_tasks,
} from 'aws-cdk-lib';

export class SfnMwaaStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const listEnvs = new sfn_tasks.CallAwsService(scope, 'ListMWAAEnvironments', {
      service: 'mwaa',
      action: 'listEnvironments',
      resultPath: sfn.JsonPath.DISCARD,
      iamResources: ['*'],
    });
  
    new sfn.StateMachine(this, 'SimpleStateMachine', {
      definitionBody: sfn.DefinitionBody.fromChainable(listEnvs)
    });
  }
}

Possible Solution

Adding mwaa into iamServiceMap. I'll submit PR later.

aws-cdk/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/aws-sdk/call-aws-service.ts

Lines 92 to 95 in 25ee8ef

    
           const iamServiceMap: Record<string, string> = { 
        
             sfn: 'states', 
        
             cloudwatchlogs: 'logs', 
        
           };

Additional Information/Context

No response

CDK CLI Version

v2.110.0

Framework Version

No response

Node.js Version

v18.17.1

OS

Linux

Language

TypeScript

Language Version

No response

Other information

No response

The text was updated successfully, but these errors were encountered:

pahud · 2023-11-21T18:59:25Z

Thank you for your PR!

… policy (#28082) When we use CallAwsService for Step Functions task, CDK generates IAM policy to grant permission regarding the API call. However, if we specify `mwaa` as service in CallAwsService, CDK generates wrong policy statement such as `mwaa:listEnvironments`. Correct service prefix for MWAA is `airflow`. https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedworkflowsforapacheairflow.html > Amazon Managed Workflows for Apache Airflow (service prefix: airflow) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies. This PR solves the issue by adding `mwaa` into iamServiceMap. This is similar with #27623. Closes #28081 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

github-actions · 2023-12-05T09:00:55Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

… policy (aws#28082) When we use CallAwsService for Step Functions task, CDK generates IAM policy to grant permission regarding the API call. However, if we specify `mwaa` as service in CallAwsService, CDK generates wrong policy statement such as `mwaa:listEnvironments`. Correct service prefix for MWAA is `airflow`. https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedworkflowsforapacheairflow.html > Amazon Managed Workflows for Apache Airflow (service prefix: airflow) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies. This PR solves the issue by adding `mwaa` into iamServiceMap. This is similar with aws#27623. Closes aws#28081 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

tam0ri added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 21, 2023

github-actions bot added the @aws-cdk/aws-stepfunctions-tasks label Nov 21, 2023

tam0ri mentioned this issue Nov 21, 2023

fix(stepfunctions-tasks): mwaa service generates wrong action in role policy #28082

Merged

pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Nov 21, 2023

github-actions bot mentioned this issue Dec 1, 2023

Monthly Issue metrics report - November 2023 #28211

Closed

mergify bot closed this as completed in #28082 Dec 5, 2023

orekav mentioned this issue Jan 19, 2024

stepfunctions-tasks: mediapackagevod service generates wrong action in role policy #28774

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

stepfunctions-tasks: mwaa service generates wrong action in role policy #28081

stepfunctions-tasks: mwaa service generates wrong action in role policy #28081

tam0ri commented Nov 21, 2023

pahud commented Nov 21, 2023

github-actions bot commented Dec 5, 2023