SimulatePrincipalpolicy:: Python SDK does not work with regular expressions #4099

amitdwivedi-broadcom · 2024-04-25T15:54:20Z

Describe the bug

Simulate policy API which helps us to check the effective permission for role is not working if the policy associated with role has regex like arn:aws::s3:* for resource or any such regex. It still gives that the permission is denied for actions which has resources associated with.

Problem in Python AWS SDK

API: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam/paginator/SimulatePrincipalPolicy.html

example::
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:GetContextKeysForCustomPolicy",
"iam:GetContextKeysForPrincipalPolicy",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy"
],
"Effect": "Allow",
"Resource": "arn:aws::s3:*"
}
]
}

Expected Behavior

For a given role and the policy mentioned above we should get allowed effect for actions mentioned in the policy, however we get denied as effect. if we change "Resource": "arn:aws::s3:" to "Resource": "" this works as expected

Current Behavior

For a given role and the policy mentioned above we should get allowed effect for actions mentioned in the policy, however we get denied as effect. if we change "Resource": "arn:aws::s3:" to "Resource": "" this works as expected

Reproduction Steps

Create a policy and a role
The policy should have regex in Resource field
Write a POC using simulatePrinciplePolicy using this role and policy you created

Possible Solution

Ideally "arn:aws::s3:*" should be treated as * and it should give the same result

Additional Information/Context

No response

SDK version used

1.28.1

Environment details (OS name and version, etc.)

Ubuntu

tim-finnigan · 2024-04-25T23:08:26Z

Hi @amitdwivedi-broadcom thanks for reaching out. I saw that you opened another issue for this here: aws/aws-sdk#729. Since both the AWS CLI and Boto3 rely on the underlying functionality in Botocore, these issues are essentially duplicates. So I'll go ahead and close this as a duplicate and follow up on the CLI issue. Since the issue you reported relates to the SimulatePrincipalPolicy API, we will likely need to forward this to the IAM service team for review.

github-actions · 2024-04-25T23:08:58Z

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

amitdwivedi-broadcom added bug This issue is a confirmed bug. needs-triage This issue or PR still needs to be triaged. labels Apr 25, 2024

tim-finnigan self-assigned this Apr 25, 2024

tim-finnigan added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Apr 25, 2024

tim-finnigan added duplicate This issue is a duplicate. iam service-api This issue is caused by the service API, not the SDK implementation. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Apr 25, 2024

tim-finnigan closed this as completed Apr 25, 2024

tim-finnigan mentioned this issue Apr 25, 2024

SimulatePrincipalpolicy:: Python SDK does not work with regular expressions aws/aws-sdk#729

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SimulatePrincipalpolicy:: Python SDK does not work with regular expressions #4099

SimulatePrincipalpolicy:: Python SDK does not work with regular expressions #4099

amitdwivedi-broadcom commented Apr 25, 2024

tim-finnigan commented Apr 25, 2024

github-actions bot commented Apr 25, 2024