[iam] iam policies should allow passing policydocuments via props to constructor like managed policies do #11236
Comments
markussiebert
added
feature-request
github-actions
bot
added
the
@aws-cdk/aws-iam
|
What would the user code look like with your proposed solution in place? |
rix0rrr
added
the
response-requested
|
(In favor of this functionality in general, btw, but it depends on what the solution looks like) |
|
ok, thats what i do at the moment: const albIngressIamPolicyDocument = iam.PolicyDocument.fromJson(
require(`${__dirname}/addonAwsLoadbalancerControllerFiles/iam_policy.json`)
);
const albIngressPolicy = new iam.ManagedPolicy(scope, "AwsLoadbalancerControllerManagedPolicy", {
document: albIngressIamPolicyDocument
})
const albIngressIamPolicyDocument = iam.PolicyDocument.fromJson(
require(`${__dirname}/addonAwsLoadbalancerControllerFiles/iam_policy.json`)
);
albIngressPolicy.attachToRole(albIngressServiceAccount.role)and i want to use Policy instead of ManagedPolicy - but it's not supported now. p.s. the iam_policy.json comes from the AwsLoadbalancerController (included via submodules). |
github-actions
bot
removed
the
response-requested
|
@rix0rrr what do you think? Can i start creating the PR? |
|
I was asking about what the could WOULD look like with your ideal API in place, not about your current workaround. For example, we could pick either of the following: const policy = Policy.fromJson(this, 'MyPolicy', '/path/to/bla.json');
albIngressServiceAccount.role.addInlinePolicy(policy);
// OR
const document = PolicyDocument.fromJson('/path/to/bla.json');
const policy = new Policy(this, 'MyPolicy', {
document: document,
});
albIngressServiceAccount.role.addInlinePolicy(policy);I feel like my preference would be for the 2nd one. |
rix0rrr
added
effort/small
|
i also prefer the second one (as i wrote, it's like managedpolicy behaves - and i think it should be implemented the same way). |
|
I created a PR with the changes I suggest. I implemented it like your 2nd solution (and as it's implemented in ManagedPolicy). And sorry, if i did things wrong, it's my first PR for CDK. |
allow passing PolicyDocuments to Policys like it could be done right now for ManagedPolicys fixes #11236 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
|
The require option works fine, but the lint fails. |
Use Case
While using eks a lot i often find policy documents for certain tools maintained by the creator of the tool (as an example, aws ingress controller).
I would like to use these policy documents, and don't rewrite them. There is the function, that allows creating policy documents from json - that's fine. Then it is possible to pass the document to the managedpolicy constructor - but not to inline policys.
I see no reason why this shouldn't be allowed for policies to.
Proposed Solution
extend policy props like it's done in managed policy props and extend constructor of policy like it's done in managed policy.
aws-cdk/packages/@aws-cdk/aws-iam/lib/managed-policy.ts
Line 95 in 55e6130
aws-cdk/packages/@aws-cdk/aws-iam/lib/managed-policy.ts
Line 219 in 55e6130
both lines are not included in the normal policy.
Other
If you agree, i will start to implement this and as far as i can see, there should be no negative side effects.
This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: