Aws CDK skip IAM Statement Changes

Question

Here is a role I already declared with a policy:

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "sqs:ReceiveMessage",
              "sqs:DeleteMessage",
              "sqs:GetQueueAttributes",
              "sqs:ChangeMessageVisibility",
              "sqs:GetQueueUrl"
          ],
          "Resource": "arn:aws:sqs:*:<my-account>:my-prefix-*"
      }
   ]
}

When I deploy manually my queue and Lambda (with Trigger) everything is OK (and it is working as expected). However when I deploy with CDK it tries to add a new inline policy which looks exactly the same (without wildcards):

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "sqs:ReceiveMessage",
              "sqs:DeleteMessage",
              "sqs:GetQueueAttributes",
              "sqs:ChangeMessageVisibility",
              "sqs:GetQueueUrl"
          ],
          "Resource": "arn:aws:sqs:eu-west-3:<my-account>:my-prefix-MYRESOURCE-CREATED"
      }
   ]
}

My questions:

• Why CDK do not detect that policy is the same ?
• If it is working as design, is there a way to not include IAM changes ?

I am not referencing to How to skip IAM change confirmation during a cdk deploy? where user wants an auto approval.

Thanks and regards

Answer 1

I assume you are passing a role parameter into your Lambda Function.

If you don't want CDK to automatically add inline policies to this role, you may want to use .without_policy_updates():

Use the object returned by this method if you want this Role to be used by a construct without it automatically updating the Role’s Policies.

If you do, you are responsible for adding the correct statements to the Role’s policies yourself.