Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[custom-resources] allow for no policy to be specified

See original GitHub issue

I do not have the ability to modify roles and the CDK assumes I do for an AwsCustomResource. I can specify the execution role for the custom resource Lambda, but I have to specify a policy, and cdk deploy fails for me because I don’t have access to modify the execution role with the new policy. I would expect for policy to be optional if role is specified. I am in a corporate setting where permissions are “locked down” and roles exist but can not be modified.

Reproduction Steps

export class ExistingS3BucketEventSource extends CDK.Construct {
  constructor(scope: CDK.Construct, id: string, props: S3NotificationLambdaProps) {
    super(scope, id);

    new CR.AwsCustomResource(scope, id + 'CustomResource', {
      onCreate: {
        ...
      },
      onDelete: {
        ...
      },
      policy: CR.AwsCustomResourcePolicy.fromStatements([]), // I don't want this! Also specifying no statements doesn't work!
      role: props.role // I want permissions from here!
    });

    props.lambda.addPermission('AllowS3Invocation', {
      action: 'lambda:InvokeFunction',
      principal: new IAM.ServicePrincipal('s3.amazonaws.com'),
      sourceArn: props.bucket.bucketArn
    });
  }
}

interface S3NotificationLambdaProps {
  role: IAM.IRole;
  bucket: S3.IBucket;
  lambda: Lambda.IFunction;
  events: string[];
  prefix: string;
}

What did you expect to happen?

I do not want to modify the execution role.

What actually happened?

The execution role is modified.

Environment

CDK CLI Version : 1.90.0 (build 7edba31)
Framework Version: 1.90.0
Node.js Version: v12.18.3
OS : Catalina 10.15.7
Language (Version): TypeScript (3.8.3)

Other

This is 🐛 Bug Report

Issue Analytics

State:
Created 3 years ago
Reactions:3
Comments:9 (6 by maintainers)

Top GitHub Comments

2reactions

jacobsnappcommented, May 17, 2021

I guess I don’t mind that field being optional.

In the mean time, you can use role.withoutPolicyUpdates() (or call Role.fromRoleName(..., { mutable: false })) to prevent your existing role from being attempted to be updated.

@rix0rrr - I have used Role.from_role_arn( ..., mutable=False) and role.without_policy_updates() with no luck (in Python). AwsCustomResource does not seem to respect the immutable role and always adds duplicate inline policies.

1reaction

haslam22commented, Jun 10, 2022

Experiencing the same problem. I need to provide an immutable role to AwsCustomResource which already has the correct permissions to do what I want. I’m not allowed to update an IAM role with a new policy in my corporate environment.

No workaround available as far as I can see, it always tries to attach a policy if role is defined: aws-custom-resource.ts#L409