Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS IAM: Unable to add AWSBackupServiceRolePolicyForBackup #30363

Closed
Roedy13 opened this issue May 28, 2024 · 5 comments
Closed

AWS IAM: Unable to add AWSBackupServiceRolePolicyForBackup #30363

Roedy13 opened this issue May 28, 2024 · 5 comments
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. guidance Question that needs advice or information.

Comments

@Roedy13
Copy link

Roedy13 commented May 28, 2024

Describe the bug

I'm trying to create a backup role with the policies "AWSBackupServiceRolePolicyForBackup" and "AWSBackupServiceRolePolicyForS3Backup"

  backup_role = aws_iam.Role(
      scope=self,
      id="backup_role",
      role_name=BACKUP_ROLE_NAME,
      assumed_by=aws_iam.ServicePrincipal("backup.amazonaws.com"),
      managed_policies=[
          aws_iam.ManagedPolicy.from_aws_managed_policy_name(
              "AWSBackupServiceRolePolicyForBackup"
          ),
          aws_iam.ManagedPolicy.from_aws_managed_policy_name(
              "AWSBackupServiceRolePolicyForS3Backup"
          ),
      ],
  )

Expected Behavior

I expect a role to be created with the attached permissions

Current Behavior

When I run this code, I get a CDK error:

Resource handler returned message: "Policy arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForBackup does not exist or is not attachable. (Service: Iam, Status Code: 404, Request ID: a76f50aa-3a8e-45d1-824f-
6ab1e3212290)" (RequestToken: 0bf40c12-6daf-14eb-4005-29c3c8ddedbd, HandlerErrorCode: NotFound)

Notice the the ARN listed for this role is NOT the same as the arn from the IAM webconsole, which is

arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup

Reproduction Steps

Try to deploy the code above

Possible Solution

I'm assuming that the ARN isn't being generated correctly from "aws_iam.ManagedPolicy.from_aws_managed_policy_name"

When I change the above code to


  # Create a role for Backup
  backup_role = aws_iam.Role(
      scope=self,
      id="backup_role",
      role_name=BACKUP_ROLE_NAME,
      assumed_by=aws_iam.ServicePrincipal("backup.amazonaws.com"),
      managed_policies=[
          aws_iam.ManagedPolicy.from_managed_policy_arn(
              scope=self,
              id="service_backup_policy",
              managed_policy_arn="arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup",
          ),
          aws_iam.ManagedPolicy.from_aws_managed_policy_name(
              "AWSBackupServiceRolePolicyForS3Backup"
          ),
      ],
  )

It works as expected

Additional Information/Context

No response

CDK CLI Version

2.142.1 (build ed4e152)

Framework Version

aws-cdk@2.142.1

Node.js Version

v18.18.2

OS

Debian 12

Language

Python

Language Version

3.12.1

Other information

No response
@Roedy13 Roedy13 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 28, 2024
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label May 28, 2024
@khushail khushail added needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels May 28, 2024
@khushail khushail self-assigned this May 28, 2024
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-reproduction This issue needs reproduction. labels May 30, 2024
@khushail
Copy link
Contributor

khushail commented Jun 1, 2024

Hi @Roedy13 , thanks for reaching out.

I see that the 2 roles mentioned generate diff arns -

Issue happens when the first policy arn is not generated correctly. In the CDK Docs, I found that for policies which have arn preceded by service-role or job-function, one has to specify that explicitly while passing the policy name, something this-

aws-cdk/packages/aws-cdk-lib/aws-iam/lib/managed-policy.ts

Line 155 in 8c39e81

* Some managed policy names start with "service-role/", some start with

So changing the code -

      managedPolicies: [
        aws_iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSBackupServiceRolePolicyForBackup'),

which is deployed successfully. Please let me know if this works for you.

@khushail khushail added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Jun 1, 2024
@github-actions github-actions bot mentioned this issue Jun 1, 2024
Closed
@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 3, 2024

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Jun 3, 2024
@github-actions github-actions bot mentioned this issue Jun 3, 2024
Closed
@Roedy13
Copy link
Author

Roedy13 commented Jun 3, 2024

That seems to work. Thanks!

@khushail khushail removed closing-soon This issue will automatically close in 4 days unless further comments are made. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. labels Jun 3, 2024
@khushail khushail closed this as completed Jun 3, 2024
@khushail khushail removed their assignment Jun 3, 2024
@khushail khushail added the guidance Question that needs advice or information. label Jun 3, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 3, 2024

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. guidance Question that needs advice or information.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aws-cdk-automation @Roedy13 @khushail