Skip to content

fix: scope dependent actions to matching resource types instead of wildcard#588

Merged
kmcquade merged 3 commits intosalesforce:masterfrom
raajheshkannaa:feat/fix-dependent-action-wildcard
Apr 13, 2026
Merged

fix: scope dependent actions to matching resource types instead of wildcard#588
kmcquade merged 3 commits intosalesforce:masterfrom
raajheshkannaa:feat/fix-dependent-action-wildcard

Conversation

@raajheshkannaa
Copy link
Copy Markdown
Contributor

@raajheshkannaa raajheshkannaa commented Mar 18, 2026

Fixes #382

  • When adding dependent actions to a SID group, the code unconditionally used * as the resource ARN
  • Now checks whether the dependent action supports the same resource type as the primary action
  • If it does, the dependent action reuses the specific ARN instead of falling back to wildcard
  • This prevents overly broad permissions when the dependent action can be scoped to the same resource

@salesforce-cla
Copy link
Copy Markdown

salesforce-cla bot commented Mar 18, 2026

Thanks for the contribution! Before we can merge this, we need @raajheshkannaa to sign the Salesforce Inc. Contributor License Agreement.

@raajheshkannaa
Copy link
Copy Markdown
Contributor Author

raajheshkannaa commented Mar 19, 2026

I have signed the CLA. Please re-check.

@raajheshkannaa
fix: use specific ARN for dependent actions when they support the sam…
76d455f 
…e resource type

When generating policies, dependent actions like kms:PutKeyPolicy were
always added with Resource: '*' even when they support the same ARN type
as the primary action. This grants broader permissions than necessary.

Now, before defaulting a dependent action to wildcard, we check if it
supports the same resource type as the primary action. If it does, the
action is added to the same SID with the specific ARN constraint. Actions
that are wildcard-only or from a different service still get Resource: '*'.

Fixes salesforce#382
@raajheshkannaa
chore: re-trigger CLA check
3a1b7a4
@raajheshkannaa
style: fix ruff formatting in test_sid_group_crud
356ef07
@raajheshkannaa raajheshkannaa force-pushed the feat/fix-dependent-action-wildcard branch from 8f989be to 356ef07 Compare April 8, 2026 12:45
@kmcquade
Copy link
Copy Markdown
Collaborator

kmcquade commented Apr 8, 2026

@gruebel I'm good with this, how about you?

@kmcquade kmcquade merged commit cd20623 into salesforce:master Apr 13, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

cla:signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Dependent actions allow broader permissions with wildcard

2 participants

@raajheshkannaa @kmcquade