(@aws-cdk/aws-s3): Use pre-defined role for autoDeleteObjects

[TheJoshuaEvans]

Description

When creating an S3 bucket with autoDeleteObjects set to true, CDK will generate a bespoke Lambda function that handles deletion of any S3 Objects. Can the properties of this bespoke function be modified? Specifically, can a pre-defined IAM Role be provided to the S3 constructor for use in the auto delete Lambda?

Use Case

I work for a vendor working with a larger company. We are working in their AWS account, but for security reasons we are not allowed to create or modify IAM roles (I am aware that permission boundaries exist to handle this specific problem... we are working on it). We can just disable this feature to get by, but I would prefer if we didn't have to

Proposed Solution

For backwards compatibility, could add an additional construct prop, something like autoDeleteObjectsRoleArn that takes the ARN of the desired role:

const bucket = new Bucket(this, 'Bucket', {
  removalPolicy: RemovalPolicy.DESTROY,
  autoDeleteObjects: true,
  autoDeleteObjectsRoleArn: `arn:aws:iam::${accountId}:role/${resourceId}`
});

Other information

To be even more specific, the following IAM actions are banned:

iam:CreateRole
iam:AttachRolePolicy
iam:PassRole
iam:DetachRolePolicy
iam:DeleteRole

Acknowledge

• I may be able to implement this feature request
• This feature might incur a breaking change

[rix0rrr]

I don't think we're going to add this property.

In the short term, you could do one of:

• Use escape hatches and/or Aspects to mutate the CfnFunction in place.
• Disable the feature, and make your own Custom Resource that picks up the difference -- you could get started by copy/pasting our code and making the modifications you need.

In the long term, this would be covered by something like: aws/aws-cdk-rfcs#25

Does that give you enough to go on?

[TheJoshuaEvans]

Yeah, I think we found a workaround. I was kinda hoping that this functionality was already in place and easy to use, and I was just missing it somehow :)

Thanks!

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[macdrorepo]

@TheJoshuaEvans can you please share the workaround you have implemented ? I'm trying to reach the lambda role which is generated for this auto delition nd can't figure it out (all advanced concepts are "in learning progress" so I do not quite follow what rix0rr said above)

[TheJoshuaEvans]

I believe our work around was... To not use the auto-delete functionality :(

[macdrorepo]

Ok to bad ;(.
@rix0rrr can AWS make some adjustmets in documatation with advanced modification of resources in tree where you must navigate to custom resource and use those unescape hatches and Aspects?

[macdrorepo]

@TheJoshuaEvans fyi:

        provider = cdk.Stack.of(bucket).node.try_find_child("Custom::S3AutoDeleteObjectsCustomResourceProvider")
        lmb = typing.cast(cdk.CfnResource, provider.node.try_find_child("Handler"))
        lmb.add_property_override("FunctionName", new_lambda_name))
        role = typing.cast(cdk.CfnResource, provider.node.try_find_child("Role"))
        role.add_property_override("RoleName", new_role_name)
        role.add_property_override("PermissionsBoundary", boundary_policy_arn)

bucket this is cdk object poiting to bucket with auto del option on and thats python.

It is sad that those kind of examples are not in AWS docs