Actions
Bug #64189
opensts: CreateRole fails with MalformedPolicyDocument if policy document contains spaces
% Done:
0%
Source:
Tags:
sts iam backport_processed
Backport:
quincy reef
Regression:
No
Severity:
3 - minor
Reviewed:
Description
calling create_role()
in boto3 with the following policy:
assume_role_policy = json.dumps({
'Version': '2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': 'sts:AssumeRole',
'Principal': {'AWS': 'arn:aws:iam::1234:user/Nobody'}
}]
})
iam_root.create_role(RoleName='s3-tests-R1', Path='/', AssumeRolePolicyDocument=assume_role_policy)
fails with:
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: At character offset 11, Invalid value.
debug logs of the POST data show it in url-encoded form:
2024-01-26T09:42:29.956-0500 7f1fea1f76c0 10 req 429955753714953901 0.000000000s Content of POST: Action=CreateRole&Version=2010-05-08&RoleName=s3-tests-R1&Path=%2F&AssumeRolePolicyDocument=%7B%22Version%22%3A+%222012-10-17%22%2C+%22Statement%22%3A+%5B%7B%22Effect%22%3A+%22Allow%22%2C+%22Action%22%3A+%22sts%3AAssumeRole%22%2C+%22Principal%22%3A+%7B%22AWS%22%3A+%22arn%3Aaws%3Aiam%3A%3A1234%3Auser%2FNobody%22%7D%7D%5D%7D
but policy parsing sees plus signs instead of spaces:
2024-01-26T09:42:29.956-0500 7f1fea1f76c0 5 req 429955753714953901 0.000000000s iam:create_role failed to parse policy '{"Version":+"2012-10-17",+"Statement":+[{"Effect":+"Allow",+"Action":+"sts:AssumeRole",+"Principal":+{"AWS":+"arn:aws:iam::1234:user/Nobody"}}]}' with: At character offset 11, Invalid value.
all of the existing CreateRole test cases in s3-tests are sending policies without any spaces, presumably to work around this bug
for PutUserPolicy
, RGWPutUserPolicy::get_params()
calls url_decode()
again with in_query=true
to fix the spaces:
policy = url_decode(s->info.args.get("PolicyDocument"), true);
Actions