test assumed role (#3621)

kddejong · web-flow · commit a34f16cb37fd · 2024-08-27T09:17:48.000-07:00
diff --git a/src/cfnlint/data/schemas/other/iam/policy.json b/src/cfnlint/data/schemas/other/iam/policy.json
@@ -28,6 +28,9 @@
     {
      "pattern": "^arn:(aws|aws-cn|aws-us-gov):iam::\\d{12}:(?:root|user|group|role)"
     },
+    {
+     "pattern": "^arn:(aws|aws-cn|aws-us-gov):sts::\\d{12}:assumed-role"
+    },
     {
      "pattern": "^arn:(aws|aws-cn|aws-us-gov):iam::cloudfront:user/.+$"
     }
diff --git a/test/unit/rules/resources/iam/test_resource_policy.py b/test/unit/rules/resources/iam/test_resource_policy.py
@@ -224,3 +224,29 @@ def test_principal_wildcard(self):
             )
         )
         self.assertListEqual(errs, [])
+
+    def test_assumed_role(self):
+        validator = CfnTemplateValidator({}).evolve(
+            context=Context(functions=FUNCTIONS)
+        )
+
+        policy = {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Effect": "Allow",
+                    "Action": "*",
+                    "Resource": "arn:aws:s3:::bucket",
+                    "Principal": {
+                        "AWS": "arn:aws:sts::123456789012:assumed-role/rolename/rolesessionname"
+                    },
+                },
+            ],
+        }
+
+        errs = list(
+            self.rule.validate(
+                validator=validator, policy=policy, schema={}, policy_type=None
+            )
+        )
+        self.assertListEqual(errs, [])

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,9 @@`
`28`	`28`	`{`
`29`	`29`	`"pattern": "^arn:(aws\|aws-cn\|aws-us-gov):iam::\\d{12}:(?:root\|user\|group\|role)"`
`30`	`30`	`},`
	`31`	`+ {`
	`32`	`+ "pattern": "^arn:(aws\|aws-cn\|aws-us-gov):sts::\\d{12}:assumed-role"`
	`33`	`+ },`
`31`	`34`	`{`
`32`	`35`	`"pattern": "^arn:(aws\|aws-cn\|aws-us-gov):iam::cloudfront:user/.+$"`
`33`	`36`	`}`