[s3-deployment] BucketDeployment not reading role from Role.fromRoleArn
See original GitHub issueRole.fromRoleArn
have no affect when provided to BucketDeployment
via props
Issue
Instantiating BucketDeployment
with provided Role.fromRoleArn
have no affect, approval for updating the policy is presented with the same permissions that are in the existing role. Due to corporate IAM limitations, we cannot approve the IAM changes on fly and have to use existing roles.
Environment
- CDK CLI Version: 1.60.0
- Module Version: 1.60.0
- Node.js Version: v12.18.2
- OS: osx 10.15.6
- Language: Typescript
Code Snippet
let destinationBucket = Bucket.fromBucketName(this, 'myexistingbucket', 'test-dev-us-east-1');
let irole = Role.fromRoleArn(this, 'exising_role', 'arn:aws:iam::12345:role/MyRole');
let dep = new BucketDeployment(this, 'MyFiles', {
sources: [Source.asset(path.join(__dirname, '../../dist/test'))],
destinationBucket: destinationBucket,
role: irole,
serverSideEncryption: ServerSideEncryption.AWS_KMS,
serverSideEncryptionAwsKmsKeyId: 'arn:aws:kms:us-east-1:12345:key/123-123-1233'
});
Issue Analytics
- State:
- Created 3 years ago
- Comments:8 (3 by maintainers)
Top Results From Across the Web
class Role (construct) · AWS CDK
Return a copy of this Role object whose Policies will not be updated. protected validate(), Validate the current construct. static fromRoleArn(scope, id, ...
Read more >How to make a copy of AWS IAM role - Blog by Max Ivanov
I'm not an expert in CDK, but from a quick experiment I ran copying a role is not very convenient with CDK. import...
Read more >how to import an existing IAM role for access the S3 bucket
I want to create a trigger on an Amazon S3 bucket, so that if any json files are uploaded, the existing Lambda function...
Read more >@aws-cdk/aws-s3 NPM | npm.io
That's because it's not possible to tell whether the bucket already has a ... Will give the Lambda's execution role permissions to read...
Read more >@aws-cdk/aws-s3-deployment - npm
Start using @aws-cdk/aws-s3-deployment in your project by running `npm ... Function used by this module, and use its permissions to read or ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Ok, what I said above is not entirely correct. I wasn’t aware that there is a boolean property,
mutable
that you can pass toRole.fromRoleArn()
. If you set that property tofalse
, the role will be left untouched and no additional policy or role will be created. I believe this solves the problem.Feel free to reopen if you have additional questions.
@mukeshchauhan, just to clarify a couple of things first: when you provide a role to
BucketDeployment
, the CDK will respect that and assign that role to the Lambda function. And, as @iliapolo pointed out, it will create a policy with the right permissions (s3:GetObject*
,s3:GetBucket*
, etc) and attach that policy to the function’s role, regardless of where that role came from.Now, to your problem: I get it. It would make more sense if, when presented with a custom role, it didn’t attach any policy to it. As part of its contract,
BucketDeployment
should assume that the role has all the right permissions already. But if we change that now, it will remove some permissions that users are (implicitly or explicitly) relying on.