Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Role.addManagedPolicy does not work for imported roles #8307

Open
its-mirus-lu opened this issue Jun 1, 2020 · 14 comments · May be fixed by #31212
Open

Role.addManagedPolicy does not work for imported roles #8307

its-mirus-lu opened this issue Jun 1, 2020 · 14 comments · May be fixed by #31212
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. docs/inline Related to inline documentation of the API Reference documentation This is a problem with documentation. effort/small Small work item – less than a day of effort p2

Comments

@its-mirus-lu
Copy link

Inconsistent Behavior: aws_iam.Role.attachManagedPolicy vs aws_iam.ManagedPolicy.attachToRole

The Scenario

TLDR; aws_iam.Role.attachManagedPolicy does not attach the specified managed policy to the role, aws_iam.ManagedPolicy.attachToRole does.

I have two stacks: one stack deploys roles another deploys an application stack (both are in the same account). The roles stack is deployed first.

In the application stack, I would like to attach a managed policy to a role in the first.

Attempting to use aws_iam.Role.attachManagedPolicy does not create the association but aws_iam.ManagedPolicy.attachToRole does.

Environment

  • CDK CLI Version: 1.39.0 (build 5d727c1)
  • Module Version: 1.38.0
  • Node.js Version: v14.0.0
  • OS: macOS Mojave 10.14.6 (18G4032)
  • Language: Typescript and Python

Other information

Steps to reproduce

  1. Deploy one stack with an IAM role
  2. In a second stack create a managed policy
  3. In the second stack Import the role using aws_iam.Role.fromRoleArn (importedRole)
  4. In the second stack attempt to add the managed policy to importedRole via importedRole.attachManagedPolicy
Observed
  1. cdk synth does not show any associations made between the role and the managed policy
  2. using ManagedPolicy.attachToRole works however
Expected
  1. cdk synth (and subsequently) cdk deploy should associate the role and managed policy when Role.attachManagedPolicy is used
@its-mirus-lu
Copy link
Author

It looks like addManagedPolicy is not implemented... https://github.com/aws/aws-cdk/blob/v1.42.1/packages/@aws-cdk/aws-iam/lib/role.ts#L216

Is there a way that this can be clearly stated in documentation?

@SomayaB SomayaB added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Jun 2, 2020
@SomayaB SomayaB added the bug This issue is a bug. label Jun 2, 2020
@rix0rrr rix0rrr added the docs/inline Related to inline documentation of the API Reference label Jun 3, 2020
@rix0rrr rix0rrr changed the title Inconsistent behavior: aws_iam.Role.attachManagedPolicy vs aws_iam.ManagedPolicy.attachToRole Role.addManagedPolicy does not work for imported roles Jun 3, 2020
@rix0rrr
Copy link
Contributor

rix0rrr commented Jun 3, 2020

We can certainly add that to the documentation.

@rix0rrr rix0rrr assigned NGL321 and SomayaB and unassigned rix0rrr Jun 3, 2020
@NGL321 NGL321 added the p2 label Jun 16, 2020
@Chriscbr
Copy link
Contributor

Chriscbr commented Jul 30, 2020
edited
Loading

Could this be resolved by changing addManagedPolicy to take a ManagedPolicy instead of IManagedPolicy as its argument (and then calling the appropriate method on the managed policy to attach it to the role)?

I feel like this could fit in with the design guidelines - "It's okay to enable multiple ways to achieve the same thing, in order to make it more natural for users who come from different mental models", even though it technically violates [awslint:ref-via-interface]. Also the attachInlinePolicy method on imported roles requires a Policy (opposed to an IPolicy), so this wouldn't be especially out of place.

@NGL321 NGL321 added the effort/small Small work item – less than a day of effort label Sep 7, 2020
@OperationalFallacy
Copy link

Just run into this bug, trying to configure some policies for roles managed outside of cdk app 😢

@guilarteH
Copy link

Same here, this is really unfortunate. It fails silently and doesn't attach anything.
I guess I'll be forced to create a proper inline policy and do the right thing following the principle of least privilege.

@valters
Copy link
Contributor

valters commented Dec 10, 2020

We just hit this issue. Especially surprising that even a warning is not getting printed. https://github.com/aws/aws-cdk/blob/master/packages/@aws-cdk/aws-iam/lib/role.ts#L227

@gshpychka gshpychka mentioned this issue Jul 26, 2021
Closed
@NGL321 NGL321 removed their assignment Sep 20, 2021
@jayhilden
Copy link

The workaround I found is below. It's not perfect, but it's pretty good:

  1. define the policy statement(s)
  2. create the managed policy with that policy statement
  3. attach the policy statement to the imported role.

Example

const statement = new PolicyStatement({
    effect: Effect.ALLOW,
    actions: ['execute-api:Invoke'],
    resources: [
        //SOME RESOURCE
    ]
})
this.cloudAuthAccessPolicy = new ManagedPolicy(this, 'FOO', {
    managedPolicyName: 'FOO',
    description: "BAR",
    statements: [
        statement
    ]
})

const role = Role.fromRoleArn(this, `name`, `arn:aws:iam::${props.account}:role/SOME_ROLE_NAME`)
role.addToPolicy(statement)

@digven
Copy link

digven commented Apr 2, 2022
edited
Loading

I know this issue has been open for some time now. Is there a fix team is working on ?. I have a use case where I want to create roles and policies separately and then associate them later using Role.addManagedPolicy.

The only way right now is to attach the policy to the role to policy during the role creation itself (using managed_policies) which is not ideal.

@rdinardi-bw
Copy link

This is still wrong in the documentation when importing an existing role.

One can set a mutable option when importing the role (by default it's set to true) The docs say:

Whether the imported role can be modified by attaching policy resources to it.

Which is untrue. You may only modify the role by adding inline policies. Not managed policies.

@molok
Copy link

molok commented Jan 27, 2023

aws-cdk/packages/@aws-cdk/aws-iam/lib/private/imported-role.ts

Line 70 in 070f5ec

public addManagedPolicy(policy: IManagedPolicy): void {

the function addManagedPolicy for ImportedRole only adds a warning Not adding managed policy: ${policy.managedPolicyArn} to imported role: ${this.roleName}, is this a missing implementation or an intended behavior?

the warning isn't even really shown to the user, it just prints

[Warning at /MyStack/ImportedRole] [object Object]

Is there any other way to add an AWS Managed Policy to an Imported Role?

@jorgemaroto-eb
Copy link

@jayhilden's solution could work, even if it requires to copy&paste the statements from a Managed Policy to a new one (handled by us).
In our case, we're needing the ReadOnlyAccess policy, so we're going to duplicate it while this issue is solved.

@jatinmehrotra jatinmehrotra mentioned this issue Feb 16, 2023
Open
@delenamalan delenamalan mentioned this issue May 22, 2023
Closed
2 tasks
@peterwoodworth peterwoodworth added the documentation This is a problem with documentation. label May 22, 2023
@taabrcr
Copy link

taabrcr commented May 25, 2023

It would be nice to have this solved, in the meantime a solution like this works:

  const statement = new PolicyStatement({
    effect: Effect.ALLOW,
    actions: ['execute-api:Invoke'],
    resources: [
          //SOME RESOURCE
    ],
    });

  const role = Role.fromRoleArn(this, 'role', 'arn:aws:iam::${props.account}:role/SOME_ROLE_NAME');

  role.attachInlinePolicy(new Policy(
    this,
    'inline-policy', {
      policyName: 'CustomPolicyName',
      statements: [statement],
    },
  ));

@Lanayx
Copy link

Lanayx commented Jul 24, 2023

This shouldn't be marked as documentation issue, it rather should just be implemented - I don't see anything wrong in idea of adding managed policies to the imported role (for example to the auto-generated service roles).

@swachter
Copy link

swachter commented Aug 9, 2024
edited
Loading

As a workaround, you can use an AwsCustomResource to attach a managed policy to a role:

new AwsCustomResource(this, 'developerReadOnlyAccess', {
    onCreate: {
        service: 'IAM',
        action: 'attachRolePolicy',
        parameters: {
            PolicyArn: 'arn:aws:iam::aws:policy/ReadOnlyAccess',
            RoleName: 'developer'
        },
        physicalResourceId: PhysicalResourceId.of(`${this.stackName}-dev-read-only-access`)
    },
    policy: AwsCustomResourcePolicy.fromSdkCalls({ resources: AwsCustomResourcePolicy.ANY_RESOURCE })
});

stm29 added a commit to stm29/aws-cdk that referenced this issue Aug 24, 2024
@stm29
fix(iam): does not work for imported roles aws#8307
4efe2f3
@stm29 stm29 linked a pull request Aug 24, 2024 that will close this issue
Open
1 task
This was referenced Aug 26, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. docs/inline Related to inline documentation of the API Reference documentation This is a problem with documentation. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(iam): Role.addManagedPolicy() does not work for imported roles #8307 stm29/aws-cdk