Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

managedPolicyArns on User isn't respected #2557

Closed
FantasticFiasco opened this issue May 16, 2019 · 2 comments · Fixed by #3221 or MechanicalRock/tech-radar#14 · May be fixed by MechanicalRock/cdk-constructs#5, MechanicalRock/cdk-constructs#6 or MechanicalRock/cdk-constructs#7
Closed

managedPolicyArns on User isn't respected #2557

FantasticFiasco opened this issue May 16, 2019 · 2 comments · Fixed by #3221 or MechanicalRock/tech-radar#14 · May be fixed by MechanicalRock/cdk-constructs#5, MechanicalRock/cdk-constructs#6 or MechanicalRock/cdk-constructs#7
Labels
bug This issue is a bug.

Comments

@FantasticFiasco
Copy link

Let me start by apologizing if this isn't at all a bug, but instead the expected behavior. You can respond me with a RTFM if that is the case :)

Describe the bug
I thought that specifying a managed policy ARN when creating a User would result in the same CloudFormation as when using the method User.attachManagedPolicy.

To Reproduce
Lets start with what works.

const user = new User(this, 'SomeUser', {
  userName: 'some-user',
});

user.attachManagedPolicy('arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess');

This will synthesizes into.

Resources:
  SomeUser64A25E2C:
    Type: AWS::IAM::User
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess
      UserName: some-user
    Metadata:
      aws:cdk:path: BootstrapStack/SomeUser/Resource
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Modules: aws-cdk=0.31.0,@aws-cdk/assets=0.31.0,@aws-cdk/aws-apigateway=0.31.0,@aws-cdk/aws-cloudwatch=0.31.0,@aws-cdk/aws-ec2=0.31.0,@aws-cdk/aws-events=0.31.0,@aws-cdk/aws-iam=0.31.0,@aws-cdk/aws-kms=0.31.0,@aws-cdk/aws-lambda=0.31.0,@aws-cdk/aws-s3=0.31.0,@aws-cdk/aws-s3-notifications=0.31.0,@aws-cdk/aws-sqs=0.31.0,@aws-cdk/cdk=0.31.0,@aws-cdk/cx-api=0.31.0,@aws-cdk/region-info=0.31.0,jsii-runtime=node.js/v10.15.3

The managed policy is attached as expected. Now lets continue with what doesn't work.

new User(this, 'SomeUser', {
  managedPolicyArns: [
    'arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess',
  ],
  userName: 'some-user',
});

This will synthesizes into.

Resources:
  SomeUser64A25E2C:
    Type: AWS::IAM::User
    Properties:
      UserName: some-user
    Metadata:
      aws:cdk:path: BootstrapStack/SomeUser/Resource
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Modules: aws-cdk=0.31.0,@aws-cdk/assets=0.31.0,@aws-cdk/aws-apigateway=0.31.0,@aws-cdk/aws-cloudwatch=0.31.0,@aws-cdk/aws-ec2=0.31.0,@aws-cdk/aws-events=0.31.0,@aws-cdk/aws-iam=0.31.0,@aws-cdk/aws-kms=0.31.0,@aws-cdk/aws-lambda=0.31.0,@aws-cdk/aws-s3=0.31.0,@aws-cdk/aws-s3-notifications=0.31.0,@aws-cdk/aws-sqs=0.31.0,@aws-cdk/cdk=0.31.0,@aws-cdk/cx-api=0.31.0,@aws-cdk/region-info=0.31.0,jsii-runtime=node.js/v10.15.3

This time there is no attached managed policy, as I'd expect there would be. The managed policy isn't part of the CloudFormation at all.

Expected behavior

Managed policies are not a part of the synthesized CloudFormation if the managed policy is specified when creating the User.

Version:

  • OS: Debian GNU/Linux 9.9 (stretch)
  • Programming Language: TypeScript
  • CDK Version: 0.31.0 (build 7a70c08)
@FantasticFiasco FantasticFiasco added the bug This issue is a bug. label May 16, 2019
@mescam
Copy link

mescam commented May 23, 2019

+1 from me as I have encountered this bug today, thanks for the information that attachManagedPolicy works.

@RomainMuller
Copy link
Contributor

Yeah - quite clearly a bug there... That should "just work". Thanks for reporting!

rix0rrr added a commit that referenced this issue Jul 5, 2019
@rix0rrr
fix(iam): fix managed policies for User
f1c4272 
Fix adding managed policies to a User upon creation.

Fixes #2557.

BREAKING CHANGE: `aws-iam.User`: `managedPolicyArns` =>
`managedPolicies`.
@rix0rrr rix0rrr mentioned this issue Jul 5, 2019
Merged
rix0rrr added a commit that referenced this issue Jul 5, 2019
@rix0rrr
fix(iam): fix managed policies for User
b91f71f 
Fix adding managed policies to a User upon creation. Rename the
property for `Group`s.

Fixes #2557.

BREAKING CHANGE: `aws-iam.User` and `Group`: `managedPolicyArns` =>
`managedPolicies`.
eladb pushed a commit that referenced this issue Jul 6, 2019
@rix0rrr
fix(iam): fix managed policies for User (#3221)
ec1c5b7 
Fix adding managed policies to a User upon creation. Rename the
property for `Group`s.

Fixes #2557.

BREAKING CHANGE: `aws-iam.User` and `Group`: `managedPolicyArns` =>
`managedPolicies`.
This was referenced Aug 22, 2019
Open
Open
Open
Open
Open
This was referenced Dec 12, 2019
Closed
Closed
Closed
Merged
Closed
Open
Open
Open
Open
Open
Open
Open
Open
This was referenced Jan 20, 2020
Closed
Closed
This was referenced Sep 24, 2024
Open
Open
This was referenced Sep 24, 2024
Open
Open
Open
Open
Open
Open
Open
Open
Open
@NOUIY NOUIY mentioned this issue Oct 2, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(iam): fix managed policies for User aws/aws-cdk
[Snyk] Upgrade @aws-cdk/aws-iam from 0.22.0 to 0.39.0 MechanicalRock/tech-radar
[Snyk] Upgrade @aws-cdk/aws-codebuild from 0.24.1 to 0.39.0 MechanicalRock/cdk-constructs
[Snyk] Upgrade @aws-cdk/aws-codepipeline from 0.24.1 to 0.39.0 MechanicalRock/cdk-constructs
[Snyk] Upgrade @aws-cdk/aws-s3 from 0.24.1 to 0.39.0 MechanicalRock/cdk-constructs
[Snyk] Upgrade @aws-cdk/aws-cloudfront from 0.15.2 to 0.39.0 MechanicalRock/cdk-products
[Snyk] Upgrade @aws-cdk/aws-codebuild from 0.15.2 to 0.39.0 MechanicalRock/cdk-products
[Snyk] Upgrade @aws-cdk/aws-codecommit from 0.15.2 to 0.39.0 MechanicalRock/cdk-products
[Snyk] Upgrade @aws-cdk/aws-codepipeline from 0.15.2 to 0.39.0 MechanicalRock/cdk-products
[Snyk] Upgrade @aws-cdk/aws-cloudformation from 0.0.0 to 0.39.0 NOUIY/aws-solutions-constructs
3 participants
@RomainMuller @mescam @FantasticFiasco