Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot create IManagedPolicy from a customer managed policy #2974

Closed
1 task done
elexisvenator opened this issue Jun 20, 2019 · 5 comments · Fixed by #3578 or #3584
Closed
1 task done

Cannot create IManagedPolicy from a customer managed policy #2974

elexisvenator opened this issue Jun 20, 2019 · 5 comments · Fixed by #3578 or #3584
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management feature-request A feature should be added or improved.

Comments

@elexisvenator
Copy link

  • I'm submitting a ...

    • 🚀 feature request

  • What is the current behavior?

Role.addManagedPolicy(policy: IManagedPolicy) is the method to add managed policies to a role. However the only method to create IManagedPolicy is ManagedPolicy.fromAwsManagedPolicyName(), which only supports the AWS managed policies. There is no way to add a customer-managed policy to a role, either by its arn or by a ref to a CfnManagedPolicy.

This is a regression from 0.34.0 behaviour. In 0.34.0 you could do the following:

myRole: Role;
myPolicy: CfnManagedPolicy;
myRole.attachManagedPolicy(myPolicy.managedPolicyArn);
  • What is the expected behavior (or behavior of feature suggested)?

One or more of the following methods should be added to ManagedPolicy to support more managed policy types:

ManagedPolicy.fromManagedPolicyRef(ref: IResolvable)
ManagedPolicy.fromManagedPolicyArn(arn: string)
  • What is the motivation / use case for changing the behavior or adding this feature?

To support customer Managed policies.

  • Please tell us about your environment:

    • CDK CLI Version: 0.35.0
    • OS: Windows 10
    • Language: TypeScript
@NGL321 NGL321 added needs-triage This issue or PR still needs to be triaged. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. labels Jun 20, 2019
@NGL321
Copy link
Contributor

NGL321 commented Jun 21, 2019

From the latest changelog entry:

iam: managedPolicyArns renamed to managedPolicies, takes return value from ManagedPolicy.fromAwsManagedPolicyName().

Is this what you are looking for?

@NGL321 NGL321 added feature-request A feature should be added or improved. @aws-cdk/aws-iam Related to AWS Identity and Access Management and removed needs-triage This issue or PR still needs to be triaged. labels Jun 21, 2019
@elexisvenator
Copy link
Author

No, that only allows existing AWS managed policies. Previously you could use any managed policy arn, including manage policies (CfnManagedPolicy) you create in your cdk app.

@NetaNir
Copy link
Contributor

NetaNir commented Jun 22, 2019

You can try using addManagedPolicy:

    const role = new iam.Role(this, 'Role', {
      assumedBy: new iam.ServicePrincipal('some.domain')
    })
    role.addManagedPolicy({
      managedPolicyArn: 'managedPolicyArn'
    })

@NGL321 NGL321 removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jun 24, 2019
@joelhegg joelhegg mentioned this issue Jun 28, 2019
Closed
1 task
@NGL321 NGL321 mentioned this issue Jul 1, 2019
Closed
5 tasks
@NGL321 NGL321 added the gap label Jul 1, 2019
@kgregory-chariot
Copy link

kgregory-chariot commented Jul 24, 2019
edited
Loading

One of the nice things about fromAwsManagedPolicyName is that it constructs the ARN given just the name. It would be really nice to have a similar method for customer managed policies, rather than this:

      (new iam.User(this, username, {
        userName: username
      }))
      .addManagedPolicy({
        managedPolicyArn: this.formatArn({
          service:      "iam",
          region:        "",
          resource:     "policy",
          resourceName: "BasicUserPolicy"
        })
      })

@IainCole
Copy link
Contributor

IainCole commented Aug 2, 2019
edited
Loading

I took a stab at implementing the creation / reference of customer managed policies here https://github.com/IainCole/aws-cdk/blob/ic_support_customer_managed_policy/packages/%40aws-cdk/aws-iam/lib/managed-policy.ts

It seems to work from my testing, @NGL321 if this makes sense logically I can submit a PR with tests etc.

@SanderKnape SanderKnape mentioned this issue Aug 7, 2019
Closed
4 tasks
@IainCole IainCole mentioned this issue Aug 8, 2019
Merged
@SanderKnape SanderKnape mentioned this issue Aug 9, 2019
Merged
@mergify mergify bot closed this as completed in #3584 Aug 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
5 participants
@elexisvenator @IainCole @NGL321 @NetaNir @kgregory-chariot