Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Role.addManagedPolicy does not work for imported roles

See original GitHub issue

Inconsistent Behavior: aws_iam.Role.attachManagedPolicy vs aws_iam.ManagedPolicy.attachToRole

The Scenario

TLDR; aws_iam.Role.attachManagedPolicy does not attach the specified managed policy to the role, aws_iam.ManagedPolicy.attachToRole does.

I have two stacks: one stack deploys roles another deploys an application stack (both are in the same account). The roles stack is deployed first.

In the application stack, I would like to attach a managed policy to a role in the first.

Attempting to use aws_iam.Role.attachManagedPolicy does not create the association but aws_iam.ManagedPolicy.attachToRole does.

Environment

CDK CLI Version: 1.39.0 (build 5d727c1)
Module Version: 1.38.0
Node.js Version: v14.0.0
OS: macOS Mojave 10.14.6 (18G4032)
Language: Typescript and Python

Other information

Steps to reproduce

Deploy one stack with an IAM role
In a second stack create a managed policy
In the second stack Import the role using aws_iam.Role.fromRoleArn (importedRole)
In the second stack attempt to add the managed policy to importedRole via importedRole.attachManagedPolicy

Observed

cdk synth does not show any associations made between the role and the managed policy
using ManagedPolicy.attachToRole works however

Expected

cdk synth (and subsequently) cdk deploy should associate the role and managed policy when Role.attachManagedPolicy is used

Issue Analytics

State:
Created 3 years ago
Reactions:3
Comments:9 (3 by maintainers)

Top GitHub Comments

3reactions

jayhildencommented, Nov 19, 2021

The workaround I found is below. It’s not perfect, but it’s pretty good:

define the policy statement(s)
create the managed policy with that policy statement
attach the policy statement to the imported role.

Example

const statement = new PolicyStatement({
    effect: Effect.ALLOW,
    actions: ['execute-api:Invoke'],
    resources: [
        //SOME RESOURCE
    ]
})
this.cloudAuthAccessPolicy = new ManagedPolicy(this, 'FOO', {
    managedPolicyName: 'FOO',
    description: "BAR",
    statements: [
        statement
    ]
})

const role = Role.fromRoleArn(this, `name`, `arn:aws:iam::${props.account}:role/SOME_ROLE_NAME`)
role.addToPolicy(statement)

2reactions

OperationalFallacycommented, Nov 23, 2020

Just run into this bug, trying to configure some policies for roles managed outside of cdk app 😢

Top Results From Across the Web

AWS CDK - Role.addManagedPolicy does not work for ...

It's not a bug. CDK cannot change imported resources, so this operation will be a no-op. From the docs: Although you can use...

class Role (construct) · AWS CDK

Type: IManagedPolicy (optional, default: No permissions boundary.) AWS supports permissions boundaries for IAM entities (users or roles). A permissions boundary ...

awslabs/aws-cdk - Gitter

The reason I have to do this is I have a lambda function that needs to access ... the Public Beta version of...

How to Create AWS CDK Lambda Functions? 4 Easy Steps

You can invoke your AWS CDK Lambda function via the Lambda API, ... functions will assume an autogenerated Role if you have not...

aws-cdk.aws-iam · PyPI

All constructs that require Roles will create one for you if don't specify ... to trigger an AWS Lambda Function, the Pipeline's Role...