Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-stepfunctions): cross-region grantRead not working #17982

Closed
mrudelle opened this issue Dec 13, 2021 · 2 comments · Fixed by #19026
Closed

(aws-stepfunctions): cross-region grantRead not working #17982

mrudelle opened this issue Dec 13, 2021 · 2 comments · Fixed by #19026
Labels
@aws-cdk/aws-stepfunctions Related to AWS StepFunctions bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@mrudelle
Copy link

mrudelle commented Dec 13, 2021
edited
Loading

What is the problem?

When working with a stack in one region and giving it read access to a state machine on another region the policy statement regarding execution points to executions in the wrong region.

Reproduction Steps

Create a basic stack with a role and a step function (step function must be in an other region than the environment)

#!/usr/bin/env python3
import os

from aws_cdk import (
    core as cdk
)

from tmp_cdk_issue.tmp_cdk_issue_stack import TmpCdkIssueStack


app = cdk.App()
TmpCdkIssueStack(app, "TmpCdkIssueStack",
    env=cdk.Environment(account='123456789012', region='us-east-1'))

app.synth()

and

from aws_cdk import (
    aws_iam as iam,
    core as cdk,
    aws_stepfunctions as sfn
)

class TmpCdkIssueStack(cdk.Stack):

    def __init__(self, scope: cdk.Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        smc = sfn.StateMachine.from_state_machine_arn(
            self,
            id=f"SomeStateMachineInEUCentral1",
            state_machine_arn=f"arn:aws:states:eu-central-1:123456789012:stateMachine:myStateMachine")

        r = iam.Role(self, 'SomeRole', assumed_by=iam.ServicePrincipal('ecs-tasks.amazonaws.com'))

        smc.grant_read(r)

What did you expect to happen?

synth should produce the following policy:

SomeRoleDefaultPolicy32D3777A:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - states:ListExecutions
              - states:ListStateMachines
            Effect: Allow
            Resource: arn:aws:states:eu-central-1:123456789012:stateMachine:myStateMachine
          - Action:
              - states:DescribeExecution
              - states:DescribeStateMachineForExecution
              - states:GetExecutionHistory
            Effect: Allow
            Resource:
              Fn::Join:
                - ""
                - - "arn:"
                  - Ref: AWS::Partition
                  - :states:eu-central-1:123456789012:execution:myStateMachine:*
          - Action:
              - states:ListActivities
              - states:DescribeStateMachine
              - states:DescribeActivity
            Effect: Allow
            Resource: "*"
        Version: "2012-10-17"
      PolicyName: SomeRoleDefaultPolicy32D3777A
      Roles:
        - Ref: SomeRole6DDC54DD
    Metadata:
      aws:cdk:path: TmpCdkIssueStack/SomeRole/DefaultPolicy/Resource

The second action statement points to executions in eu-central-1

What actually happened?

Instead the following policy is created:

SomeRoleDefaultPolicy32D3777A:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - states:ListExecutions
              - states:ListStateMachines
            Effect: Allow
            Resource: arn:aws:states:eu-central-1:123456789012:stateMachine:myStateMachine
          - Action:
              - states:DescribeExecution
              - states:DescribeStateMachineForExecution
              - states:GetExecutionHistory
            Effect: Allow
            Resource:
              Fn::Join:
                - ""
                - - "arn:"
                  - Ref: AWS::Partition
                  - :states:us-east-1:123456789012:execution:myStateMachine:*
          - Action:
              - states:ListActivities
              - states:DescribeStateMachine
              - states:DescribeActivity
            Effect: Allow
            Resource: "*"
        Version: "2012-10-17"
      PolicyName: SomeRoleDefaultPolicy32D3777A
      Roles:
        - Ref: SomeRole6DDC54DD
    Metadata:
      aws:cdk:path: TmpCdkIssueStack/SomeRole/DefaultPolicy/Resource

The second action statement points to executions in us-east-1

CDK CLI Version

1.134.0 (build dd5e12d)

Framework Version

No response

Node.js Version

v14.16.1

OS

Mac OS Monterey 12.0.1

Language

Python

Language Version

3.9.7

Other information

We fixed it in our stack by re-implementing grant_read, more specifically by changing how the execution arn is created. The function executionArn (link) does not specify the region so the stack's region is used instead, hence the discrepancy. Replacing this function by something like this worked for us:

arn_info = Arn.split(the_step_fn.state_machine_arn, ArnFormat.COLON_RESOURCE_NAME)
execution_arn = Stack.of(self).format_arn(
    resource='execution',
    service='states',
    region=arn_info.region,
    resource_name=arn_info.resource_name,
    arn_format=ArnFormat.COLON_RESOURCE_NAME,
)

I can propose a PR with a fix and some tests if needed
@mrudelle mrudelle added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 13, 2021
@github-actions github-actions bot added the @aws-cdk/aws-stepfunctions Related to AWS StepFunctions label Dec 13, 2021
@peterwoodworth peterwoodworth added effort/small Small work item – less than a day of effort p1 and removed needs-triage This issue or PR still needs to be triaged. labels Dec 14, 2021
@kaizencc
Copy link
Contributor

Thanks for the bug report @mrudelle! A PR to fix this would be greatly appreciated!

@kaizencc kaizencc removed their assignment Dec 17, 2021
@flavioleggio flavioleggio mentioned this issue Jan 29, 2022
Closed
@kaizencc kaizencc mentioned this issue Feb 17, 2022
Merged
@mergify mergify bot closed this as completed in #19026 Feb 18, 2022
mergify bot pushed a commit that referenced this issue Feb 18, 2022
@kaizencc
fix(stepfunctions): imported State Machine sill has region and accoun…
23329b4 
…t from its Stack, instead of its ARN (#19026)

Fixes #17982.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
@kaizencc @TikiTDO
fix(stepfunctions): imported State Machine sill has region and accoun…
4356a5c 
…t from its Stack, instead of its ARN (aws#19026)

Fixes aws#17982.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-stepfunctions Related to AWS StepFunctions bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Milestone
No milestone
3 participants
@mrudelle @kaizencc @peterwoodworth