1

I am trying to add a managed policy to a role that contains an account id:

    const role = iam.Role.fromRoleArn(
          this,
          'Role',
          `arn:aws:iam::${cdk.Stack.of(this).account}:role/example-role`,
        );
    
        role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonDynamoDBFullAccess'));
        role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonKinesisFullAccess'));

on the aws console i can't see the policy being added to the role.

fyi My aws-cli is logged with the right account.

enter image description here

fedonev
  • 20,327
  • 2
  • 25
  • 34
Aziz.G
  • 3,599
  • 2
  • 17
  • 35

2 Answers2

4

Unfortunately, CDK cannot modify imported resources. So the changes will go through, but will have no effect.

The proper way is to create the role with CDK, and add the policy in the same place where you're creating the role.

Here's a relevant excerpt from the documentation:

Although you can use an imported resource anywhere, you cannot modify the imported resource. For example, calling addToResourcePolicy (Python: add_to_resource_policy) on an imported s3.Bucket does nothing.

gshpychka
  • 8,523
  • 1
  • 11
  • 31
1

The docs seem to say this is possible, but I am having the same issue.

Using existing roles

If there are Roles in your account that have already been created which you would like to use in your CDK application, you can use Role.fromRoleArn to import them, as follows:

role = iam.Role.from_role_arn(self, "Role", "arn:aws:iam::123456789012:role/MyExistingRole",
    # Set 'mutable' to 'false' to use the role as-is and prevent adding new
    # policies to it. The default is 'true', which means the role may be
    # modified as part of the deployment.
    mutable=False
)
kidbrax
  • 2,364
  • 3
  • 30
  • 38