Role.addToPolicy does not exist for imported roles

[jatinmehrotra]

Describe the bug

I am trying to import the role, however just like #8307 addTopolicy does not exist on imported role.

Expected Behavior

addToPolicy should have been working on the import role.

Current Behavior

The method does not exist

Reproduction Steps

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as s3 from 'aws-cdk-lib/aws-s3'
import { Effect, PolicyStatement, Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
import { IRole } from 'aws-cdk-lib/aws-iam';

export class CdkStackoverflowStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);


    const statement = new PolicyStatement({
      effect: Effect.ALLOW,
      actions: ['execute-api:Invoke'],
      resources: [
        //SOME RESOURCE
      ]
    })
    const role_name = 'my_role_for_ec2_testing'
    const role = Role.fromRoleName(this, 'Role', role_name)
  }

  role.addToPolicy(statement)




}

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.44.0

Framework Version

No response

Node.js Version

16.17.0

OS

macos

Language

Typescript

Language Version

No response

Other information

No response

[pahud]

This is related to #8307 but not duplicated. I am leaving it open as p2 and all upvotes on this issue would help us prioritize. Thank you.

[peterwoodworth]

Generally, reports like this aren't bugs because imported resources are known to have limited functionalities, and we also don't claim to support this method on imported roles in our documentation.

From the developer guide:

Although you can use an external resource anywhere you'd use a similar resource defined in your AWS CDK app, you cannot modify it. For example, calling addToResourcePolicy (Python: add_to_resource_policy) on an external s3.Bucket does nothing.

However, I looked a little bit into this and it looks like the ImportedRole that we return actually does have this method: this is its implementation

aws-cdk/packages/@aws-cdk/aws-iam/lib/private/imported-role.ts

Lines 41 to 57 in 5862f7a

	public addToPolicy(statement: PolicyStatement): boolean {
	return this.addToPrincipalPolicy(statement).statementAdded;
	}
	public addToPrincipalPolicy(statement: PolicyStatement): AddToPrincipalPolicyResult {
	if (!this.defaultPolicy) {
	const useUniqueName = FeatureFlags.of(this).isEnabled(IAM_IMPORTED_ROLE_STACK_SAFE_DEFAULT_POLICY_NAME);
	const defaultDefaultPolicyName = useUniqueName
	? `Policy${Names.uniqueId(this)}`
	: 'Policy';
	const policyName = this.defaultPolicyName ?? defaultDefaultPolicyName;
	this.defaultPolicy = new Policy(this, policyName, useUniqueName ? { policyName } : undefined);
	this.attachInlinePolicy(this.defaultPolicy);
	}
	this.defaultPolicy.addStatements(statement);
	return { statementAdded: true, policyDependable: this.defaultPolicy };
	}

As you can see, it's just calling addToPrincipalPolicy(). The implementation on the Role construct is different - at the moment I'm unsure if the functionality of the addToPolicy method is possible on the imported resource

[jatinmehrotra]

@peterwoodworth @pahud I have a different interpretation to this it is not supported because fromRoleName returns an IRole interface. This interface does not have a addToPolicy method.

That is why we cannot access this method.
Is my understanding correct?