cloudformation-coverage-roadmap icon indicating copy to clipboard operation
cloudformation-coverage-roadmap copied to clipboard
verified publisher icon aws-cloudformation

[AWS::ServiceCatalog::Portfolio] - [BUG] - Issue with handling principals with IAM paths

Open amisfari opened this issue 2 months ago • 0 comments

Name of the resource

AWS::ServiceCatalog::Portfolio

Resource Name

No response

Issue Description

When using AWS::ServiceCatalog::PortfolioPrincipalAssociation with IAM principals that have a path, CloudFormation successfully creates the association but fails to delete it during stack deletion, causing stack deletion to fail with the error: "DELETE_FAILED Portfolio port-abcd still has associated Principals".

Template used for issue replication:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  ServiceCatalogRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: SCTestRole
      Path: /test/
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: servicecatalog.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/ReadOnlyAccess

  TestPortfolio:
    Type: AWS::ServiceCatalog::Portfolio
    Properties:
      DisplayName: TestPortfolio
      ProviderName: TestProvider
      Description: Test portfolio 

  TestProduct:
    Type: AWS::ServiceCatalog::CloudFormationProduct
    Properties:
      Name: TestProduct
      Owner: TestOwner
      ProvisioningArtifactParameters:
        - Name: v1.0
          Info:
            LoadTemplateFromURL: https://s3.amazonaws.com/cloudformation-templates-us-east-1/S3_Bucket.template
          Type: CLOUD_FORMATION_TEMPLATE

  ProductAssociation:
    Type: AWS::ServiceCatalog::PortfolioProductAssociation
    Properties:
      PortfolioId: !Ref TestPortfolio
      ProductId: !Ref TestProduct

  PrincipalAssociation:
    Type: AWS::ServiceCatalog::PortfolioPrincipalAssociation
    Properties:
      PortfolioId: !Ref TestPortfolio
      PrincipalARN: !Sub 'arn:aws:iam::${AWS::AccountId}:role/SCTestRole'
      PrincipalType: IAM

However, when using Principals without IAM paths, disassociation and deletion of resources goes seamless.

The only workaround for now is to manually detach the principal or use custom resources.

Expected Behavior

Expecting the disassociation operation to succeed the same way as Principal with IAM paths.

Observed Behavior

Stack deletion fails with: Resource handler returned message: "Portfolio port-abcd still has associated Principals (Service: AWSServiceCatalog; Status Code: 400; Error Code: ResourceInUseException;

Test Cases

Pass the following role as a principal "arn:aws:iam::ACCOUNT_ID:role/test/SCTestRole" instead of "arn:aws:iam::ACCOUNT_ID:role/SCTestRole"

Other Details

No response

amisfari avatar Nov 21 '25 13:11 amisfari