Closed williwlwilliwll closed 2 weeks ago
@williwlwilliwll Good morning. Thanks for opening the issue.
AWS::IAM::Policy specifies that it Adds or updates an inline policy document that is embedded in the specified IAM group, user or role.
. So it's an inline policy document that must be embedded in either one of group, user or role. Hence the error.
CfnPolicy is an L1 construct that is generated from CloudFormation resource specification (refer AWS::IAM::Policy and CloudFormationResourceSpecification.json). The CloudFormation resource specification specifies Groups
, Roles
and Users
as optional. All of these properties are not required, however, to embed the inline policy, at least one of them is required.
You may try using CfnManagedPolicy L1 construct which represents AWS::IAM::ManagedPolicy resource in case you want to create standalone policy.
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as iam from 'aws-cdk-lib/aws-iam';
export class CdkinittestStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
new iam.CfnManagedPolicy(this, 'iam-EcrReadOnly', {
policyDocument: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken"
],
"Resource": "*"
}
]
},
managedPolicyName: 'iam-EcrReadOnly'
});
}
}
Thanks, Ashish
Hi @ashishdhingra,
Thank you for taking the time to explain that :). I didn't read the docs well enough, I'm sorry to have wasted your time!
Best,
Will
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.
Describe the bug
CfnPolicyProps
defines theroles
,users
, andgroups
properties as optional however you run into an error during deployment if you do not assign a value to one of them.Regression Issue
Last Known Working CDK Version
No response
Expected Behavior
You should be able to create a
CfnPolicy
construct without assigning a value to itsusers
,roles
andgroups
properties. As per theCfnPolicyProps
in the source code:Current Behavior
When you create a
CfnPolicy
without assigning a value to theusers
,groups
androles
properties then during deployment the following error is thrown:Reproduction Steps
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.158.0
Framework Version
2.158.0
Node.js Version
22.8.0
OS
MacOS Sonoma 14.6.1
Language
TypeScript
Language Version
No response
Other information
No response