Aws-cdk: [aws-iam]

Created on 12 Sep 2020  路  3Comments  路  Source: aws/aws-cdk


AWS Managed Policy Arn is not synthesizing correctly

Reproduction Steps


` 

    # Define Data Lake WorkFlow AWS Managed Policies
    data_lake_workflow_managed_policy = iam.ManagedPolicy.from_aws_managed_policy_name(managed_policy_name='AWSGlueServiceRole')

    # Define Data Lake WorkFlow Role
    data_lake_workflow_role = iam.Role(self, id='data-lake-workflow-role',
                                       assumed_by=iam.FederatedPrincipal(federated='{}'.format(role_federation_trust_arn),
                                                                         conditions={'StringEquals': {'SAML:aud': 'https://signin.aws.amazon.com/saml'}},
                                                                         assume_role_action='sts:AssumeRoleWithSAML'),
                                       description='Data Lake WorkFlow Role',
                                       managed_policies=[data_lake_workflow_managed_policy],
                                       role_name=work_flow_role_name)

`

What did you expect to happen?


Successful creation of the IAM role with the AWS Managed policy attached (AWSGlueServiceRole)

What actually happened?


Policy arn:aws:iam::aws:policy/AWSGlueServiceRole does not exist or is not attachable.

Environment

  • CLI Version : aws-cli/2.0.23
  • Framework Version: 1.62.0
  • Node.js Version: 12.18.3
  • OS : Ubuntu 20.04.1 LTS
  • Language (Version): Python 3.8

Other

The actual AWS Managed Policy Arn is:
arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole

and not

arn:aws:iam::aws:policy/AWSGlueServiceRole

This is :bug: Bug Report

@aws-cdaws-iam bug needs-triage
Source
picture Mejato

All 3 comments

I found the solution, looking at the documentation:

/**
 * Import a managed policy from one of the policies that AWS manages.
 *
 * For this managed policy, you only need to know the name to be able to use it.
 *
 * Some managed policy names start with **"service-role/"**, some start with
 * **"job-function/"**, and some don't start with anything. Do include the
 * prefix when constructing this object.
 */

Changing my code to include the prefix resolves the issue:

`
# Define Data Lake WorkFlow AWS Managed Policies

data_lake_workflow_managed_policy = iam.ManagedPolicy.from_aws_managed_policy_name(managed_policy_name='service-role/AWSGlueServiceRole')`

Mejato picture Mejato on 13 Sep 2020
👍1

I wonder where the prefix is? I don't see it on IAM page, I had to use trial and error:

ManagedPolicy.fromAwsManagedPolicyName('AmazonEventBridgeFullAccess'),
ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole')

Both of these are listed under the AWS provided policies but one needs no prefix while the other does.

cyberwombat picture cyberwombat on 15 Nov 2020

@cyberwombat ya I was confused too. I think you can tell based on the arn. If you click through to the policy page, you'll see the arn on top and they are like:
arn:aws:iam::aws:policy/AmazonECS_FullAccess or

arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda

ltamrazov picture ltamrazov on 10 Dec 2020
😄1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

eladb picture eladb  路  3Comments
mirazmamun picture mirazmamun  路  3Comments
abelmokadem picture abelmokadem  路  3Comments
ababra picture ababra  路  3Comments
eladb picture eladb  路  3Comments