How can I translate this CloudFormation to CDK (JavaScript or Java)? I was trying to do it, but this is the first time that I work with CDK and I'm not sure how to do it.
FargateTaskExecutionServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: AmazonECSTaskExecutionRolePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'ecr:GetAuthorizationToken'
- 'ecr:BatchCheckLayerAvailability'
- 'ecr:GetDownloadUrlForLayer'
- 'ecr:BatchGetImage'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: '*'
Hi Sonal, IAM roles define the set of permissions for making AWS service request whereas IAM policies define the permissions that you will require.
You should refer to API reference document to get a clear picture. There are examples for such use cases.
However, since you have already asked here and my hands has been itchy to provide you with an answer, so here goes the TypeScript implementation of just the IAM part:
import {
ManagedPolicy,
Role,
ServicePrincipal,
PolicyStatement,
Effect
} from '@aws-cdk/aws-iam';
....
....
const ecsFargateServiceRole = new Role(this, 'FargateTaskExecutionServiceRole', {
assumedBy: new ServicePrincipal('ecs-tasks.amazonaws.com')
});
// Add a policy to a Role
ecsFargateServiceRole.addToPolicy(
new PolicyStatement({
effect: Effect.ALLOW,
resources: ['*'],
actions: [
'ecr:GetAuthorizationToken',
'ecr:BatchCheckLayerAvailability',
'ecr:GetDownloadUrlForLayer',
'ecr:BatchGetImage',
'logs:CreateLogStream',
'logs:PutLogEvents'
]
})
);
// Add a managed policy to a role you can use
ecsFargateServiceRole.addManagedPolicy(
ManagedPolicy.fromAwsManagedPolicyName('AmazonECSTaskExecutionRolePolicy')
);
....
....
UPDATE:
When you are adding an AWS managed policy to a role, you can get the managed policy as a reference by its name or by its ARN. The important part is that if an AWS Managed policy is used as above by its name or ARN, then you will not need to use the policy statement explicitly. From my answer above, you can use the managed policy approach rather than using the policy statement.
An easy way to define the role now would be:
const ecsFargateServiceRole = new Role(this, 'FargateTaskExecutionServiceRole', {
assumedBy: new ServicePrincipal('ecs-tasks.amazonaws.com'),
managedPolicies: [
ManagedPolicy.fromAwsManagedPolicyName('AmazonECSTaskExecutionRolePolicy')
]
});
Note that I have excluded the constructor for the Construct for brevity.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With