[GH-ISSUE #111] Decrease false positive findings for waiter extraction in Go and Python #97

New issue

Open

opened 2026-03-07 19:41:59 +03:00 by kerem · 0 comments

kerem commented

2026-03-07 19:41:59 +03:00

Owner

Originally created by @mschlaipfer on GitHub (Jan 21, 2026).
Original GitHub issue: https://github.com/awslabs/iam-policy-autopilot/issues/111

Take for example the dms waiter EndpointDeleted:

We currently generate false positives during the fallback waiter extraction using the waiter creation. We look up EndpointDeleted in create_synthetic_calls_internal in the waiters_lookup
github.com/awslabs/iam-policy-autopilot@63f953c124/iam-policy-autopilot-policy-generation/src/extraction/go/waiter_extractor.rs (L240)

Both dms and sagemaker have such a waiter. dms's operation is DescribeEndpoints, sagemaker's is DescribeEndpoint.

DescribeEndpoint furthermore also exists in other services. We end up with two SdkMethodCalls, where the sagemaker one has multiple possible services populated here:
github.com/awslabs/iam-policy-autopilot@63f953c124/iam-policy-autopilot-policy-generation/src/extraction/go/disambiguation.rs (L59-L60)

We might not be able to know which of the two findings based on the initial EndpointDeleted lookup is correct, but we know that the only possible services can be dms and sagemaker because of the particular waiter extraction logic that was applied which led to the operation being added. We must not populate the possible_services with any further services.

Furthermore we have been conservative with import-based filtering, which leads to import-based filtering not applying:
github.com/awslabs/iam-policy-autopilot@63f953c124/iam-policy-autopilot-policy-generation/src/extraction/go/disambiguation.rs (L70-L74)

We currently have to resolve the waiter to an operation during extraction, and run through the "regular" disambiguation pipeline linked to above. We might specialize this logic if we knew that we extracted a waiter.

Originally created by @mschlaipfer on GitHub (Jan 21, 2026). Original GitHub issue: https://github.com/awslabs/iam-policy-autopilot/issues/111 Take for example the `dms` waiter `EndpointDeleted`: We currently generate false positives during the fallback waiter extraction using the waiter creation. We look up `EndpointDeleted` in `create_synthetic_calls_internal` in the `waiters_lookup` https://github.com/awslabs/iam-policy-autopilot/blob/63f953c124cd884c6b927c7c04f5bb8f302c325e/iam-policy-autopilot-policy-generation/src/extraction/go/waiter_extractor.rs#L240 Both `dms` and `sagemaker` have such a waiter. `dms`'s operation is `DescribeEndpoints`, `sagemaker`'s is `DescribeEndpoint`. `DescribeEndpoint` furthermore also exists in other services. We end up with two `SdkMethodCall`s, where the `sagemaker` one has multiple possible services populated here: https://github.com/awslabs/iam-policy-autopilot/blob/63f953c124cd884c6b927c7c04f5bb8f302c325e/iam-policy-autopilot-policy-generation/src/extraction/go/disambiguation.rs#L59-L60 We might not be able to know which of the two findings based on the initial `EndpointDeleted` lookup is correct, but we know that the only possible services can be `dms` and `sagemaker` because of the particular waiter extraction logic that was applied which led to the operation being added. We must not populate the `possible_services` with any further services. Furthermore we have been conservative with import-based filtering, which leads to import-based filtering not applying: https://github.com/awslabs/iam-policy-autopilot/blob/63f953c124cd884c6b927c7c04f5bb8f302c325e/iam-policy-autopilot-policy-generation/src/extraction/go/disambiguation.rs#L70-L74 Related issue: https://github.com/awslabs/iam-policy-autopilot/issues/110 We currently have to resolve the waiter to an operation during extraction, and run through the "regular" disambiguation pipeline linked to above. We might specialize this logic if we knew that we extracted a waiter.