IAM fuctions missing name path parameter

[cp10000]

Describe the bug

Several aws cli IAM functions, like put-policy and others, are missing the usual "path" parameter for policy name, role name, group name, ....etc. A complete review to correct this is required. Note that some functions like create-policy or create-role already have the path parameter. But it's not consistent across all IAM functions and it should be.

Expected Behavior

All aws cli IAM functions that pass policy name or/and role name and/or group name should have a corresponding "path" parameter. It's essential for proper use of IAM.

Current Behavior

Function aws iam put-policy (and several other functions) is missing the "path" parameter.

Reproduction Steps

aws iam put-policy help

Possible Solution

No response

Additional Information/Context

No response

CLI version used

2.9.12

Environment details (OS name and version, etc.)

ubuntu 18.04

[tim-finnigan]

Hi @cp10000 thanks for reaching out. Here is documentation on IAM paths for reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names

Rather than use the put-* commands to update the path, have you tried using the update-* commands? For example, commands such as update-group have a --new-path parameter that you can use to update the path.

I hope that helps, please let us know if you have any follow up questions.

[cp10000]

In response to your reply to my bug report, I don't think you understood my bug report.    I will try to be more explicit here. As you know, the IAM functions take an optional path parameter for the policy name, role name, group name, ...etc.  The path parameter defaults to "/" when it's not specified.  For some programmers like me, using a path is very useful.    So I use a path parameter in my design. The problem arises when some IAM functions that take either a policy/role/group name as parameter do not also offer an path parameter for the name.  If a policy name has a path, then it's necessary to specify the path in order for the function to find this policy.   I tested this behavior myself. It is surprising to me that the IAM team did not provide a path parameter whenever a name is passed as parameter. NOTE:  The Python BOTO3 library offers a path parameter along with the name for policy, role and group.  So BOTO3 does support a path whenever a name is required. On Thursday, January 5, 2023 at 05:17:18 p.m. EST, Tim Finnigan ***@***.***> wrote: Hi @cp10000 thanks for reaching out. Here is documentation on IAM paths for reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names Rather than use the put-* commands to update the path, have you tried using the update-* commands? For example, commands such as update-group have a --new-path parameter that you can use to update the path. I hope that helps, please let us know if you have any follow up questions. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: ***@***.***>

[tim-finnigan]

Hi @cp10000 thanks for following up. Which specific boto3 commands are you using? The service API functionality between boto3 and the AWS CLI should be consistent. If you're requesting new IAM API functionality, then that request would need to get redirected to the IAM team as they own their service API models which are used across AWS SDKs. We recommend reaching out through AWS Support to escalate requests such as those, but we can also forward them on your behalf. Please let us know.

[github-actions]

Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.

[cp10000]

Hello Tim!   This is my third time trying to explain the problem that should be easy to understand.    Let me give it another try. When creating either an IAM policy or IAM role or IAM group or IAM instance-profile, we have the option to pass it a "path" parameter.    The path complements the name parameter and both path+name form the full name identity.    This is similar to a path+file name in a storage system. Any IAM function that takes a name (for policy, role, group, instant-profile or others) should also take a matching path.   THE PROBLEM is that many AWS CLI IAM functions DO NOT have a MATCHING PATH parameter  that would go along with the name of the item.   That is the problem. The path parameter defaults to '/', but if you specify a path other than the default, you have no way of specifying the path in many AWS CLI functions.    I tested it out.   It's a major bug! On Sunday, January 15, 2023 at 05:03:07 p.m. EST, github-actions[bot] ***@***.***> wrote: Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: ***@***.***>

[tim-finnigan]

Thanks for following up and explaining the issue further — my apologies for not understanding the problem. I'm going to transfer this issue to our cross-SDK repository and escalate it to the IAM team for further review and feedback, as service teams like IAM own their API definitions.

You can see the IAM service API model definitions here in botocore: https://github.com/boto/botocore/blob/develop/botocore/data/iam/2010-05-08/service-2.json. (Both the AWS CLI and boto3 rely on botocore models, which is why I mentioned that the functionality should be consistent between the CLI and boto3.)

If there is any more information you'd like me to pass along to the IAM team please let me know, such as which specific methods you need the --path parameter for and why you can't use the --new-path parameter for update-* commands. (P79227206)

[tim-finnigan]

Checking in again — if functionality is supported in Boto3 then it should generally also work with the CLI, as both the AWS CLI and Boto3 use the same models in Botocore. We haven't received any more details or customer reports of the issue here. For any future investigations please clarify which API(s) you are referring to (https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html) and how you are blocked with the existing behavior.

[github-actions]

This issue is now closed.

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.