[GH-ISSUE #118] Simplify `is_arn` validation in fix-access-denied workflow #99

New issue

Open

opened 2026-03-07 19:41:59 +03:00 by kerem · 0 comments

kerem commented

2026-03-07 19:41:59 +03:00

Owner

Originally created by @mschlaipfer on GitHub (Jan 23, 2026).
Original GitHub issue: https://github.com/awslabs/iam-policy-autopilot/issues/118

See discussion in https://github.com/awslabs/iam-policy-autopilot/pull/104#discussion_r2718113307.

ARNs can have values other than an account ID in the account part, such as aws (which we already added), but seemingly also other values like cloudfront. We should not play whack-a-mole to support all special cases, and instead just require non-emptiness.

Originally created by @mschlaipfer on GitHub (Jan 23, 2026). Original GitHub issue: https://github.com/awslabs/iam-policy-autopilot/issues/118 See discussion in https://github.com/awslabs/iam-policy-autopilot/pull/104#discussion_r2718113307. ARNs can have values other than an account ID in the account part, such as `aws` (which we already added), but seemingly also other values like `cloudfront`. We should not play whack-a-mole to support all special cases, and instead just require non-emptiness.