Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Attaching Managed Policy to Role failing
See original GitHub issueNote: for support questions, please first reference our documentation, then use Stackoverflow. This repository’s issues are intended for feature requests and bug reports.
-
I’m submitting a …
- 🪲 bug report
- 🚀 feature request
- 📚 construct library gap
- ☎️ security issue or vulnerability => Please see policy
- ❓ support request => Please see note at the top of this template.
-
What is the current behavior? If the current behavior is a 🪲bug🪲: Please provide the steps to reproduce
Attaching a managed policy to a Role.
In 1.1.0 there is a method fromAwsManagedPolicyName. It takes a single parameter: the managed policy name. In previous versions there was a method attachManagedPolicy which took the ARN of the managed policy.
in 1.1.0:
// attach managed policy to role
const managedPolicy = ManagedPolicy.fromAwsManagedPolicyName("MyManagedPolicy")
buildRole.addManagedPolicy(managedPolicy);
I get the following error:
Policy arn:aws:iam::aws:policy/MyManagedPolicy does not exist or is not attachable.
(Service: AmazonIdentityManagement; Status Code: 404; Error Code: NoSuchEntity; Request ID: 7c2ebbde-ac71-11e9-89dd-879d24923f1f)
I can see that the arn for the managed policy is constructed in this method - and is missing the account reference.
In the CDK code:
https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-iam/lib/managed-policy.ts
public static fromAwsManagedPolicyName(managedPolicyName: string): IManagedPolicy {
class AwsManagedPolicy implements IManagedPolicy {
public readonly managedPolicyArn = Lazy.stringValue({
produce(ctx: IResolveContext) {
return Stack.of(ctx.scope).formatArn({
service: "iam",
region: "", // no region for managed policy
account: "aws", // the account for a managed policy is 'aws'
resource: "policy",
resourceName: managedPolicyName
});
}
});
}
return new AwsManagedPolicy();
}
I can see from the error message and reading the CDK code that the account in the arn is set to aws - not the correct account number:
- What is the expected behavior (or behavior of feature suggested)?
Using the example above:
managedPolicyArn should be set to
arn:aws:iam::12345678987654:policy/MyManagedPolicy
not
arn:aws:iam::aws:policy/MyManagedPolicy (current behaviour)
In this way the Managed Policy will be correctly identified.
- What is the motivation / use case for changing the behavior or adding this feature?
To allow managed policies to be assigned to a role. This is a feature we have previously used to manage our codebuild projects.
-
Please tell us about your environment:
- CDK CLI Version: 1.1.0
- Module Version: 1.1.0
- OS: Windows 10 , Ubuntu
- Language: TypeScript
-
Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)
Issue Analytics
- State:
- Created 4 years ago
- Reactions:3
- Comments:9 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I had a similar issue but mine was caused by not adding the
service-role/prefix.