How to add a managed policy to a runner's role

[pkaeding]

I have found how to add inline policy statements to a runner's role, eg:

provider.GrantPrincipal().AddToPrincipalPolicy(awsiam.NewPolicyStatement(&awsiam.PolicyStatementProps{
		Actions:   jsii.Strings("ssm:GetParameter"),
		Resources: jsii.Strings(fmt.Sprintf("arn:aws:ssm:%s:%s:parameter/...",...)),
	}))

But, I want to add an AWS managed policy now. How can I do this?

I can get a reference to the policy, like this:

policy := awsiam.ManagedPolicy_FromAwsManagedPolicyName(jsii.String("ReadOnlyAccess"))

I'm just not sure how to connect it to the role that the runner uses. I think if I could get a reference to the awsiam.Role, then I could call role.AddManagedPolicy(policy).

Thanks!

[kichik]

The grant principal should be a role in all cases I could think of. So you might be able to just cast it to a role and use addManagedPolicy. If not, I'd try role, ok := provider.Node().FindChild(jsii.String("Role")).(awsiam.Role). I never tried casting in CDK Go, so I'm not 100% sure that syntax is correct.

I recommend you consider aws-actions/configure-aws-credentials instead for more fine-grained control of which repos and branches can assume the role.