Role.addManagedPolicy does not work for imported roles
See original GitHub issueInconsistent Behavior: aws_iam.Role.attachManagedPolicy vs aws_iam.ManagedPolicy.attachToRole
The Scenario
TLDR; aws_iam.Role.attachManagedPolicy does not attach the specified managed policy to the role, aws_iam.ManagedPolicy.attachToRole does.
I have two stacks: one stack deploys roles another deploys an application stack (both are in the same account). The roles stack is deployed first.
In the application stack, I would like to attach a managed policy to a role in the first.
Attempting to use aws_iam.Role.attachManagedPolicy does not create the association but aws_iam.ManagedPolicy.attachToRole does.
Environment
- CDK CLI Version: 1.39.0 (build 5d727c1)
- Module Version: 1.38.0
- Node.js Version: v14.0.0
- OS: macOS Mojave 10.14.6 (18G4032)
- Language: Typescript and Python
Other information
Steps to reproduce
- Deploy one stack with an IAM role
- In a second stack create a managed policy
- In the second stack Import the role using aws_iam.Role.fromRoleArn (importedRole)
- In the second stack attempt to add the managed policy to importedRole via importedRole.attachManagedPolicy
Observed
- cdk synth does not show any associations made between the role and the managed policy
- using ManagedPolicy.attachToRole works however
Expected
- cdk synth (and subsequently) cdk deploy should associate the role and managed policy when Role.attachManagedPolicy is used
Issue Analytics
- State:
- Created 3 years ago
- Reactions:3
- Comments:9 (3 by maintainers)
Top Results From Across the Web
AWS CDK - Role.addManagedPolicy does not work for ...
It's not a bug. CDK cannot change imported resources, so this operation will be a no-op. From the docs: Although you can use...
Read more >class Role (construct) · AWS CDK
Type: IManagedPolicy (optional, default: No permissions boundary.) AWS supports permissions boundaries for IAM entities (users or roles). A permissions boundary ...
Read more >awslabs/aws-cdk - Gitter
The reason I have to do this is I have a lambda function that needs to access ... the Public Beta version of...
Read more >How to Create AWS CDK Lambda Functions? 4 Easy Steps
You can invoke your AWS CDK Lambda function via the Lambda API, ... functions will assume an autogenerated Role if you have not...
Read more >aws-cdk.aws-iam · PyPI
All constructs that require Roles will create one for you if don't specify ... to trigger an AWS Lambda Function, the Pipeline's Role...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
The workaround I found is below. It’s not perfect, but it’s pretty good:
Example
Just run into this bug, trying to configure some policies for roles managed outside of cdk app 😢