Skip to content

fix(stepfunctions-tasks): scope down BatchSubmitJob permissions to specific job definition#37480

Open
syukawa-gh wants to merge 6 commits intoaws:mainfrom
syukawa-gh:fix/sfn-batch-submit-job-permissions
Open

fix(stepfunctions-tasks): scope down BatchSubmitJob permissions to specific job definition#37480
syukawa-gh wants to merge 6 commits intoaws:mainfrom
syukawa-gh:fix/sfn-batch-submit-job-permissions

Conversation

@syukawa-gh
Copy link
Copy Markdown
Contributor

@syukawa-gh syukawa-gh commented Apr 1, 2026

Closes #37214
The SubmitBatchJob task was granting batch:SubmitJob on all job definitions (job-definition/*). Now uses the specific jobDefinitionArn when available.
Exemption Request: IAM policy change, covered by existing unit tests.

@syukawa-dev
fix(stepfunctions-tasks): scope down BatchSubmitJob permissions to sp…
0f4bf63 
…ecific job definition

The SubmitBatchJob task was granting batch:SubmitJob on all job
definitions (job-definition/*). Now uses the specific jobDefinitionArn
when available, falling back to wildcard only when JsonPath/Jsonata
expressions are used.

Closes aws#37214
@github-actions github-actions bot added effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1 labels Apr 1, 2026
@aws-cdk-automation aws-cdk-automation requested a review from a team April 1, 2026 10:25
@github-actions github-actions bot added the admired-contributor [Pilot] contributed between 13-24 PRs to the CDK label Apr 1, 2026
aws-cdk-automation
aws-cdk-automation requested changes Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

✅ A exemption request has been requested. Please wait for a maintainer's review.

@pahud pahud mentioned this pull request Apr 1, 2026
Open
@syukawa-gh
Copy link
Copy Markdown
Contributor Author

syukawa-gh commented Apr 2, 2026

Exemption Request: This fix scopes down BatchSubmitJob IAM permissions to the specific job definition ARN. Unit tests are included. Integration test snapshot update is needed — will add.

@aws-cdk-automation aws-cdk-automation added the pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. label Apr 2, 2026
@syukawa-gh
Copy link
Copy Markdown
Contributor Author

syukawa-gh commented Apr 2, 2026

Correction to my previous comment: After reviewing the diff more carefully, this PR needs unit tests to be added. I will update this PR with the required tests. The Exemption Request above should be disregarded for the unit test requirement.

@aws-cdk-automation aws-cdk-automation added the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Apr 2, 2026
@syukawa-gh
Copy link
Copy Markdown
Contributor Author

syukawa-gh commented Apr 2, 2026

To clarify my earlier comments: unit tests are already included in this PR. The "Correction" comment above was posted in error. The exemption request is for the integration test only — this is an IAM policy scope-down change, and the unit test verifies the correct resource ARNs in the generated policy statement.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 7, 2026
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

TestsPassed ✅SkippedFailed
Security Guardian Results24 ran24 passed
TestResult
No test annotations available

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 7, 2026
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

TestsPassed ✅SkippedFailed
Security Guardian Results with resolved templates24 ran24 passed
TestResult
No test annotations available

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Apr 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

admired-contributor [Pilot] contributed between 13-24 PRs to the CDK effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1 pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. pr/needs-maintainer-review This PR needs a review from a Core Team Member pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

(aws-stepfunctions-tasks): Tighter permissions in SubmitBatchJob

3 participants

@syukawa-gh @aws-cdk-automation @syukawa-dev