fix: enhance error messaging and improve resource selection in PAM components

- Updated error message in AWS IAM resource factory to include the PAM role ARN for better debugging. - Added functionality to clear the search input when a value is selected in the ResourceSelect component, improving user experience. - Refactored AwsIamAccountForm to fetch PAM resource details based on account or provided resourceId and resourceType, ensuring accurate role ARN usage in trust policy.
2026-01-09 07:28:09 -05:00 · 2025-12-08 14:28:05 -03:00
parent d09849d9dc
commit 2e4a1acd03
3 changed files with 27 additions and 14 deletions
--- a/backend/src/ee/services/pam-resource/aws-iam/aws-iam-resource-factory.ts
+++ b/backend/src/ee/services/pam-resource/aws-iam/aws-iam-resource-factory.ts
@@ -62,8 +62,7 @@ export const awsIamResourceFactory: TPamResourceFactory<TAwsIamResourceConnectio

      if (!isValid) {
        throw new BadRequestError({
-          message:
-            "Unable to assume the target role. Verify the target role ARN and ensure the PAM role has permission to assume it."
+          message: `Unable to assume the target role. Verify the target role ARN and ensure the PAM role (ARN: ${connectionDetails.roleArn}) has permission to assume it.`
        });
      }

--- a/frontend/src/pages/pam/PamAccountsPage/components/PamAccountForm/AwsIamAccountForm.tsx
+++ b/frontend/src/pages/pam/PamAccountsPage/components/PamAccountForm/AwsIamAccountForm.tsx
@@ -16,7 +16,12 @@ import {
 } from "@app/components/v2";
 import { CopyButton } from "@app/components/v2/CopyButton";
 import { useProject } from "@app/context";
-import { PamResourceType, TAwsIamAccount } from "@app/hooks/api/pam";
+import {
+  PamResourceType,
+  TAwsIamAccount,
+  TAwsIamResource,
+  useGetPamResourceById
+} from "@app/hooks/api/pam";

 import { GenericAccountFields, genericAccountFieldsSchema } from "./GenericAccountFields";

@@ -51,16 +56,27 @@ const formSchema = genericAccountFieldsSchema.extend({

 type FormData = z.infer<typeof formSchema>;

-export const AwsIamAccountForm = ({ account, onSubmit }: Props) => {
+export const AwsIamAccountForm = ({ account, resourceId, resourceType, onSubmit }: Props) => {
  const isUpdate = Boolean(account);
  const { projectId } = useProject();

+  const resourceIdToFetch = account?.resourceId || resourceId;
+  const resourceTypeToFetch = account?.resource?.resourceType || resourceType;
+  const { data: resource } = useGetPamResourceById(resourceTypeToFetch, resourceIdToFetch, {
+    enabled: !!resourceIdToFetch && !!resourceTypeToFetch
+  });
+
+  const pamRoleArn =
+    (resource?.resourceType === PamResourceType.AwsIam &&
+      (resource as TAwsIamResource).connectionDetails?.roleArn) ||
+    "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/<YOUR_PAM_ROLE_NAME>";
+
  const targetRoleTrustPolicy = `{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
-      "AWS": "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/<YOUR_PAM_ROLE_NAME>"
+      "AWS": "${pamRoleArn}"
    },
    "Action": "sts:AssumeRole",
    "Condition": {
@@ -166,16 +182,12 @@ export const AwsIamAccountForm = ({ account, onSubmit }: Props) => {
                </pre>
              </div>
              <p className="text-xs text-mineshaft-400">
-                <strong>Note:</strong> Replace{" "}
-                <code className="rounded bg-mineshaft-700 px-1">&lt;YOUR_ACCOUNT_ID&gt;</code> with
-                your AWS account ID and{" "}
-                <code className="rounded bg-mineshaft-700 px-1">&lt;YOUR_PAM_ROLE_NAME&gt;</code>{" "}
-                with the name of the PAM role you created in the &quot;Resources&quot; tab. The
-                External ID{" "}
+                <strong>Note:</strong> The Principal role ARN shown above is from the PAM Resource
+                selected for this account. The External ID{" "}
                <code className="rounded bg-mineshaft-700 px-1 font-bold">{projectId}</code> is your
-                current project ID. If this target role name doesn&apos;t match the wildcard pattern
-                in your PAM role&apos;s permissions policy, you&apos;ll need to update that policy
-                to include this role&apos;s ARN.
+                current project ID. If your target role name doesn&apos;t match the wildcard pattern
+                in your PAM Resource&apos;s role&apos;s permissions policy, you&apos;ll need to
+                update that policy to include this role&apos;s ARN.
              </p>
            </AccordionContent>
          </AccordionItem>
--- a/frontend/src/pages/pam/PamAccountsPage/components/ResourceSelect.tsx
+++ b/frontend/src/pages/pam/PamAccountsPage/components/ResourceSelect.tsx
@@ -80,6 +80,8 @@ export const ResourceSelect = ({ onSubmit, projectId }: Props) => {
                      return;
                    }

+                    // Clear search when a value is selected so the selected label is shown
+                    setSearch("");
                    onChange(newValue);
                  }}
                  isLoading={isPending}