Aws-cdk: Role.addManagedPolicy does not work for imported roles

Created on 1 Jun 2020  路  6Comments  路  Source: aws/aws-cdk

Inconsistent Behavior: aws_iam.Role.attachManagedPolicy vs aws_iam.ManagedPolicy.attachToRole

The Scenario

TLDR; aws_iam.Role.attachManagedPolicy does not attach the specified managed policy to the role, aws_iam.ManagedPolicy.attachToRole does.

I have two stacks: one stack deploys roles another deploys an application stack (both are in the same account). The roles stack is deployed first.

In the application stack, I would like to attach a managed policy to a role in the first.

Attempting to use aws_iam.Role.attachManagedPolicy does not create the association but aws_iam.ManagedPolicy.attachToRole does.

Environment

  • CDK CLI Version: 1.39.0 (build 5d727c1)
  • Module Version: 1.38.0
  • Node.js Version: v14.0.0
  • OS: macOS Mojave 10.14.6 (18G4032)
  • Language: Typescript and Python

Other information

Steps to reproduce

  1. Deploy one stack with an IAM role
  2. In a second stack create a managed policy
  3. In the second stack Import the role using aws_iam.Role.fromRoleArn (importedRole)
  4. In the second stack attempt to add the managed policy to importedRole via importedRole.attachManagedPolicy
Observed
  1. cdk synth does not show any associations made between the role and the managed policy
  2. using ManagedPolicy.attachToRole works however
Expected
  1. cdk synth (and subsequently) cdk deploy should associate the role and managed policy when Role.attachManagedPolicy is used
@aws-cdaws-iam bug docinline efforsmall p2
Source
picture miruslu-amazon

Most helpful comment

Just run into this bug, trying to configure some policies for roles managed outside of cdk app 馃槩

picture OperationalFallacy on 24 Nov 2020
👍2

All 6 comments

It looks like addManagedPolicy is not implemented... https://github.com/aws/aws-cdk/blob/v1.42.1/packages/@aws-cdk/aws-iam/lib/role.ts#L216

Is there a way that this can be __clearly__ stated in documentation?

miruslu-amazon picture miruslu-amazon on 1 Jun 2020

We can certainly add that to the documentation.

rix0rrr picture rix0rrr on 3 Jun 2020

Could this be resolved by changing addManagedPolicy to take a ManagedPolicy instead of IManagedPolicy as its argument (and then calling the appropriate method on the managed policy to attach it to the role)?

I feel like this could fit in with the design guidelines - "It's okay to enable multiple ways to achieve the same thing, in order to make it more natural for users who come from different mental models", even though it technically violates _[awslint:ref-via-interface]_. Also the attachInlinePolicy method on imported roles requires a Policy (opposed to an IPolicy), so this wouldn't be especially out of place.

Chriscbr picture Chriscbr on 30 Jul 2020
👍1

Just run into this bug, trying to configure some policies for roles managed outside of cdk app 馃槩

OperationalFallacy picture OperationalFallacy on 24 Nov 2020
👍2

Same here, this is really unfortunate. It fails silently and doesn't attach anything.
I guess I'll be forced to create a proper inline policy and do the right thing following the principle of least privilege.

guilarteH picture guilarteH on 25 Nov 2020

We just hit this issue. Especially surprising that even a warning is not getting printed. https://github.com/aws/aws-cdk/blob/master/packages/@aws-cdk/aws-iam/lib/role.ts#L227

valters picture valters on 10 Dec 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

schof picture schof  路  3Comments
sudoforge picture sudoforge  路  3Comments
slipdexic picture slipdexic  路  3Comments
abelmokadem picture abelmokadem  路  3Comments
PaulMaddox picture PaulMaddox  路  3Comments