By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM Docs Feedback: Wrong condition operator modifier?

0

I am trying to provide feedback on this IAM docs page. When I click the feedback link, it takes me to here which fails when I submit with this error:

HTTP Status 400 – Bad Request

Type Exception Report
Message Request header is too large
Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).
Exception
java.lang.IllegalArgumentException: Request header is too large
	org.apache.coyote.http11.Http11InputBuffer.parseHeaders(Http11InputBuffer.java:629)
	org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:535)
	org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:847)
	org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1680)
	org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
	org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	java.lang.Thread.run(Thread.java:750)
Note The full stack trace of the root cause is available in the server logs.

Apache Tomcat/8.5.75

Consequently, I'll provide my feedback here. Reading over the docs here it would appear you are using the wrong condition operator modifier on this page

Wouldn't this require that SourceIdentity be set to both Saanvi and Diego, not either or:

"StringLike": {
          "sts:SourceIdentity": [
            "Saanvi",
            "Diego"
          ]
        }

Shouldn't it be?:

"ForAnyValue:StringEquals": {
          "sts:SourceIdentity": [
            "Saanvi",
            "Diego"
          ]
        }

Also you appear to arbitrarily be using StringLike instead of StringEquals throughout:

"Condition": {
        "StringLike": {
          "sts:SourceIdentity": "${aws:username}"
        }
      }

Although there are no wildcards in this if you want an exact match, wouldn't it be more clear to use StringEquals?

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
perpil
asked 2 years ago318 views
1 Answer
0

Ok, I think I understand now how the first part is working. It appears that the key sts:SourceIdentity has a single value. When you use StringLike/StringEquals on a single value key and provide an array of matches, it passes if any of those items in the array are true. That is shown in an example on this page. Is it possible to explicitly document the behavior here when you use an array vs a string as a key value or point me to where that behavior is defined?.

For example:

If the key value is a string and you use StringEquals, it passes only if it matches:

"Condition": {
        "StringEquals": {
          "sts:SourceIdentity": "Saanvi"
        }
      }

If the key value is an array of strings, any one of them matching makes it pass.

"Condition": {
        StringEquals": {
          "sts:SourceIdentity": [
            "Saanvi",
            "Diego"
          ]
        }
}
perpil
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content