iam-policy-validator 1.15.0__py3-none-any.whl → 1.15.1__py3-none-any.whl

{iam_policy_validator-1.15.0.dist-info → iam_policy_validator-1.15.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.15.0
+Version: 1.15.1
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://boogy.github.io/iam-policy-validator

{iam_policy_validator-1.15.0.dist-info → iam_policy_validator-1.15.1.dist-info}/RECORD

@@ -1,6 +1,6 @@
 iam_validator/__init__.py,sha256=xHdUASOxFHwEXfT_GSr_KrkLlnxZ-pAAr1wW1PwAGko,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=nBQw8c9_j3cm0AjlGzltWfPi7BYKIJlC0VQImhHNMGQ,374
+iam_validator/__version__.py,sha256=3sYnVKt3REhH-Klaa8pLaSXpDxcV1dV0Se9CjHHE4Nc,374
 iam_validator/checks/__init__.py,sha256=wFU5Lz-ZIQBcn2y1u0Kl88B--vEO3btOOaTGPPSjJ74,2106
 iam_validator/checks/action_condition_enforcement.py,sha256=2-XUMbof9tQ7SHZNmAHMkR1DgbOIzY2eFWlp9S9dwLk,60625
 iam_validator/checks/action_resource_matching.py,sha256=qND0hfDgNoxFEdLWwrxOPVDfdj3k50nzedT2qF7nK7o,19428
@@ -64,10 +64,10 @@ iam_validator/core/aws_service/fetcher.py,sha256=TqaCp6yKOEXCJdcQIFVBB5RW0pxLMOm
 iam_validator/core/aws_service/parsers.py,sha256=gJzR7HCD8ItCWCCbguTQIZpPEdj2rdMwC7LPhu7ve14,5174
 iam_validator/core/aws_service/patterns.py,sha256=gGc55Tn-EJ3cmcWtmYAZROUajKYz7DaMchYWGEhHpC0,1726
 iam_validator/core/aws_service/storage.py,sha256=A98ui_THAyZ86ik-t6HWB22vOqwmbFklG10uhdf26p4,10881
-iam_validator/core/aws_service/validators.py,sha256=qWMB4iQi9Oc0SGXOJVrlyjnsMwmPlqhUaywyRL4d-hM,19385
+iam_validator/core/aws_service/validators.py,sha256=d2nGuy4NifbBiKbLIFHxP-wZctYDtK4qniSdq3l8-T0,21574
 iam_validator/core/config/__init__.py,sha256=CWSyIA7kEyzrskEenjYbs9Iih10BXRpiY9H2dHg61rU,2671
 iam_validator/core/config/aws_api.py,sha256=HLIzOItQ0A37wxHcgWck6ZFO0wmNY8JNTiWMMK6JKYU,1248
-iam_validator/core/config/aws_global_conditions.py,sha256=Ny20rnwp0OGxW8NdrHw8d3Lv3wh8YbL5vCIFQw7ZQh4,8006
+iam_validator/core/config/aws_global_conditions.py,sha256=WQjR8z1Mhc8H874CnzwEMvKOz9rCifBNUltvo0oFYbM,7894
 iam_validator/core/config/category_suggestions.py,sha256=fopaZ9kXDrsLgi_r0pERrLwgdPPJl5VIiKvXtQK9tj0,8583
 iam_validator/core/config/check_documentation.py,sha256=-wK6-wfU7SEHX3h2Jj5pOFqgxD9ULW-NvEkSVp_66WA,18718
 iam_validator/core/config/condition_requirements.py,sha256=1CeQJfWV-Y2ImW0Mq9YdrgvH-hj9IXe0gVOm3B36Rc8,10655
@@ -112,8 +112,8 @@ iam_validator/utils/__init__.py,sha256=NveA2F3G1E6-ANZzFr7J6Q6u5mogvMp862iFokmYu
 iam_validator/utils/cache.py,sha256=wOQKOBeoG6QqC5f0oXcHz63Cjtu_-SsSS-0pTSwyAiM,3254
 iam_validator/utils/regex.py,sha256=xHoMECttb7qaMhts-c9b0GIxdhHNZTt-UBr7wNhWfzg,6219
 iam_validator/utils/terminal.py,sha256=FsRaRMH_JAyDgXWBCOgOEhbS89cs17HCmKYoughq5io,724
-iam_policy_validator-1.15.0.dist-info/METADATA,sha256=CkJmAGo-FcnQ0qpEb0_EDjNcbKRzTErYiIic3gUyHD8,34808
-iam_policy_validator-1.15.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-iam_policy_validator-1.15.0.dist-info/entry_points.txt,sha256=VXAcx1evo9fuxX0Gtj3J2HnzWcBHSXugiZwBtQ1BXE0,162
-iam_policy_validator-1.15.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.15.0.dist-info/RECORD,,
+iam_policy_validator-1.15.1.dist-info/METADATA,sha256=5U2vmBBtv-GXPRTflISPL-sOmq_kT9aWlDdOBsfbMnI,34808
+iam_policy_validator-1.15.1.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+iam_policy_validator-1.15.1.dist-info/entry_points.txt,sha256=VXAcx1evo9fuxX0Gtj3J2HnzWcBHSXugiZwBtQ1BXE0,162
+iam_policy_validator-1.15.1.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.15.1.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,7 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.15.0"
+__version__ = "1.15.1"
 # Parse version, handling pre-release suffixes like -rc, -alpha, -beta
 _version_base = __version__.split("-", maxsplit=1)[0]  # Remove pre-release suffix if present
 __version_info__ = tuple(int(part) for part in _version_base.split("."))

iam_validator/core/aws_service/validators.py

@@ -243,22 +243,30 @@ class ServiceValidator:
             _, action_name = self._parser.parse_action(action)
 
             # Check if it's a global condition key
+            # Note: Some aws: prefixed keys like aws:RequestTag/* and aws:ResourceTag/* are NOT
+            # global keys - they're action-specific or resource-specific. We'll check those later.
             is_global_key = False
             if condition_key.startswith("aws:"):
                 global_conditions = get_global_conditions()
                 if global_conditions.is_valid_global_key(condition_key):
                     is_global_key = True
-                else:
-                    return ConditionKeyValidationResult(
-                        is_valid=False,
-                        error_message=f"Invalid AWS global condition key: `{condition_key}`.",
-                    )
+                # If not a global key, continue to check action/resource-specific keys
+                # Don't return an error yet - aws:RequestTag, aws:ResourceTag are action-specific
 
             # Check service-specific condition keys (with pattern matching for tag keys)
-            if service_detail.condition_keys and condition_key_in_list(
-                condition_key, list(service_detail.condition_keys.keys())
-            ):
-                return ConditionKeyValidationResult(is_valid=True)
+            # IMPORTANT: aws:RequestTag and aws:ResourceTag patterns in service-level keys
+            # are NOT universally valid for all actions. Skip them here - they'll be checked
+            # at action/resource level.
+            if service_detail.condition_keys:
+                # Check if it matches service-level keys, but exclude RequestTag/ResourceTag
+                if condition_key_in_list(condition_key, list(service_detail.condition_keys.keys())):
+                    # If it's RequestTag or ResourceTag, don't return valid here - check action/resource level
+                    if not (
+                        condition_key.startswith("aws:RequestTag/")
+                        or condition_key.startswith("aws:ResourceTag/")
+                    ):
+                        return ConditionKeyValidationResult(is_valid=True)
+                    # For RequestTag/ResourceTag, continue to check action/resource level
 
             # Check action-specific condition keys
             if action_name in service_detail.actions:
@@ -298,8 +306,26 @@ class ServiceValidator:
             if is_global_key:
                 return ConditionKeyValidationResult(is_valid=True)
 
-            # Short error message
-            error_msg = f"Condition key `{condition_key}` is not valid for action `{action}`"
+            # If we reach here, the condition key was not found in any valid location
+            # Check if it's an aws: prefixed key that's not global - provide specific error
+            if condition_key.startswith("aws:"):
+                # Special handling for aws:RequestTag and aws:ResourceTag patterns
+                if condition_key.startswith("aws:RequestTag/"):
+                    error_msg = (
+                        f"Condition key `{condition_key}` is not supported by action `{action}`. "
+                        f"The `aws:RequestTag/${{TagKey}}` condition is only supported by actions that "
+                        f"create or modify resources with tags. This action does not support tag operations."
+                    )
+                elif condition_key.startswith("aws:ResourceTag/"):
+                    error_msg = (
+                        f"Condition key `{condition_key}` is not supported by the resources used by action `{action}`. "
+                        f"The `aws:ResourceTag/${{TagKey}}` condition is only supported by resources that have tags."
+                    )
+                else:
+                    error_msg = f"Invalid AWS condition key: `{condition_key}`. This key is not a valid global condition key and is not supported by action `{action}`."
+            else:
+                # Short error message for non-aws: keys
+                error_msg = f"Condition key `{condition_key}` is not valid for action `{action}`"
 
             # Collect valid condition keys for this action
             valid_keys: set[str] = set()

iam_validator/core/config/aws_global_conditions.py

@@ -85,17 +85,13 @@ GLOBAL_RESOURCE_SCOPING_CONDITION_KEYS = frozenset(
 )
 
 # Patterns that should be recognized (wildcards and tag-based keys)
-# These allow things like aws:RequestTag/Department or aws:PrincipalTag/Environment
+# IMPORTANT: aws:RequestTag and aws:ResourceTag are NOT global condition keys!
+# They are action-specific or resource-specific and must be explicitly listed in
+# the action's ActionConditionKeys or the resource's ConditionKeys.
+# Only aws:PrincipalTag is a true global condition key.
+#
 # Uses centralized tag key character class from constants
 AWS_CONDITION_KEY_PATTERNS = [
-    {
-        "pattern": rf"^aws:RequestTag/[{AWS_TAG_KEY_ALLOWED_CHARS}]+$",
-        "description": "Tag keys in the request (for tag-based access control)",
-    },
-    {
-        "pattern": rf"^aws:ResourceTag/[{AWS_TAG_KEY_ALLOWED_CHARS}]+$",
-        "description": "Tags on the resource being accessed",
-    },
     {
         "pattern": rf"^aws:PrincipalTag/[{AWS_TAG_KEY_ALLOWED_CHARS}]+$",
         "description": "Tags attached to the principal making the request",