By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

[Bug?] IAM Role Trusted Entities' "External ID" More Permissive than STS Service

1

I believe I have found a disparity between how IAM and STS each treat the "External ID" condition that can be added to the trusted entities (assume-role-policy) of an IAM role.

TL;DR seems like IAM allows for spaces to be in the "ExternalId" but the STS service/api rejects AssumeRole requests that have spaces in the external id.

Steps to reproduce - you need 2 AWS accounts:

  • In account A (say account ID 123456789012) create an IAM role with the following "Trusted entities" (assume-role-policy) allowing account B (say account ID 567890123456") to assume it:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::567890123456:root"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "something with a space"
                }
            }
        }
    ]
}

Then using an IAM entity in account B (567890123456) (can be an IAM user with full admin permissions for example - or any other IAM entity with permission to sts:AssumeRole the role we created in account A), try the following:

AWS_PROFILE=bug_reproduction aws sts assume-role --role-session-name something-$(date +%s) --role-arn arn:aws:iam::123456789012:role/MyRole --external-id "something with a space"

The CLI will error out with the following error from the STS API:

An error occurred (ValidationError) when calling the AssumeRole operation: 1 validation error detected: Value 'something with a space' at 'externalId' failed to satisfy constraint: Member must satisfy regular expression pattern: [\w+=,.@:\/-]*

Not a question but perhaps this forum post will help AWS folks either reject ExternalIds with spaces in the trusted entities policies OR will change the STS service to allow spaces.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAWS Management ConsoleAWS Command Line InterfaceIAM Policies
Language
English
adrianosela
asked a year ago403 views
2 Answers
0

I've encountered this as well. In addition to spaces, there are other characters that are permitted in an ExternalID but not permitted by the STS API, meaning that it is possible to create an ExternalId that can't be used.

Paul
answered 2 months ago
-1

It does seem like there is a discrepancy between the IAM Role Trusted Entities' "External ID" condition and the STS service's validation of the "externalId" parameter.

As you noted, the IAM Role Trusted Entities' "External ID" condition allows spaces in the value, while the STS service requires that the "externalId" parameter satisfy a regular expression pattern that does not allow spaces.

While this may not be a bug per se, it does seem like a potential inconsistency in the AWS platform's behavior. I recommend reporting this to AWS Support, as they will be able to investigate this issue further and determine if any changes need to be made to address this discrepancy.

hash
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content