-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(iam): Warn/error when changes to imported principals are dropped #12188
Comments
Did you try passing |
aws-cdk/packages/@aws-cdk/aws-iam/lib/role.ts Lines 226 to 228 in ab5a383
Is this technically not possible? Or is there any other reason why this doesn't make sense? We should explain it in the warning. |
I'd say it should not warn, but throw. |
Depending on the situation, it is technically not possible. CloudFormation only allows us to attached managed policies upon role creation or upon managed policy creation (there is no We don't have provisions for the second case at all at the moment. |
Why couldn't the CDK code still allow addManagedPolicy() to work properly when it's imported? I understand that cloudformation has this limitation but that shouldn't stop CDK from allowing you to generate the right cloudformation for certain cases. For example, if you're deploying a CDK application that consists of 2 stacks, why couldn't this addManagedPolicy() method mutate the Role in stackA if being imported to stackB? CDK in this case has full control over all the objects and should be able to do this before synth. In the case of importing a role from an external role then it should throw an error and say this isn't supported .... |
This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
I'm wondering about the answer to @brentryan 's question as well, but if it's not feasible than a warning should be added at least, right? |
You cannot generate cloudformation for a resource that is not managed by the same cloudformation stack
This should already work because you're not interacting with an I agree with this issue that a warning should throw when adding the policy is a no-op, this frequently confuses customers in other issues as well |
When I import an IRole with Role.fromRoleArn, if I try to add a managed policy with addManagedPolicy, nothing happens. However, addToPrincipalPolicy with the desired policy statements does work. Is this the expected behavior?
Reproduction Steps
Environment
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: