SimulateCustomPolicy operation: Invalid Input Actions: [kms:Decrypt] and [kms:List*] require different authorization information

Hi,

Thank you for contacting us! I understand that you would like to simulate a custom policy to determine the policy's effective permissions evaluated against multiple actions and resources.

I confirm that you are able to use the 'simulate-custom-policy' CLI command on multiple actions and resources. The following sample command worked for me:

aws iam simulate-custom-policy --policy-input-list '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"kms:*","Resource":"arn:aws:kms:us-east-1:<account-ID>:key/12345-6789-12345asdf-fghj-123455yz"}]}' --action-names "kms:Decrypt" "kms:ListGrants" --resource-arns "arn:aws:kms:us-east-1:<account-ID>:key/12345-6789-12345asdf-fghj-123455yz" "arn:aws:kms:us-east-1:<account-ID>:key/abcdef-6789-12345asdf-fghj-123455abcd"

Note the format I have used to include multiple action names and resources within double quotes.

This syntax for passing multiple action names and resources is also outlined in the following document under the --action-names and --resource-arns CLI options:

• https://docs.aws.amazon.com/cli/latest/reference/iam/simulate-custom-policy.html

Please let us know if you need any further assistance. We'll be glad to assist!

I think I found the issue, the policy has actions names with STAR. Like kms:List* to include all the actions starts with List.

I have tried few other combinations with other AWS services actions (i.e. S3, CloudWatch, CloudFormation) and it seems the same issue. It only works when Resource is provided with *. If Resource has ARN and Action name has STAR it will fail.