8
    let servicePrincipal: any = new iam.ServicePrincipal("lambda.amazonaws.com");

    let policyDoc = new iam.PolicyDocument({
      statements: [
        new iam.PolicyStatement({
          actions: ["sts:AssumeRole"],
          principals: [servicePrincipal],
          effect: iam.Effect.ALLOW,
          resources: ["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"],
          sid: ""
        })
      ],
    });

    let accessRole: any = new iam.Role(this, 'git-access-role', {
      assumedBy: servicePrincipal,
      inlinePolicies: { policyDoc }
    });

I'm creating a cdk lambda with a role that has AWSLambdaBasicExecutionRole but I get an error saying

A PolicyStatement used in an identity-based policy cannot specify any IAM principals

not quite sure...what does it mean and what should I do?

Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
walter
  • 537
  • 1
  • 6
  • 22
  • 1
    You don't need principle. What do you want to achieve with that policy? – Marcin Jun 17 '21 at 03:53
  • 1
    The `principal` field is not used in IAM Policies because the principal is automatically identified as whoever has the policy attached to them. It appears that you are wanting to create an IAM Role that will be used by an AWS Lambda function -- this would be part of the Trust policy on the Role, rather than part of the permissions themselves. I'm not sure how to do that in CDK, but looking for Trust Policy should help figure it out. – John Rotenstein Jun 17 '21 at 07:56

1 Answers1

2

Looks like you're trying to generate the assume role policy with policyDoc. The assumedBy: servicePrincipal line will automatically generate the trust policy. If all you want to do is assign the lambda basic execution policy to the role, then it should look like this:

const accessRole = new iam.Role(this, 'git-access-role', {
  assumedBy: new iam.ServicePrincipal("lambda.amazonaws.com"),
  managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole')]
});

If the lambda needs access to git as the construct id of the role seems to indicate then you can add those permissions as inline policies. But this code would create a role that is assumable by a lambda and it would have the most basic permissions a lambda needs to run.

Max Schenkelberg
  • 805
  • 4
  • 5