Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS CDK - Stop Generating Policies

Tags:

aws-cdk

The following CDK code 

    const queue = new sqs.Queue(this, 'my-sqs-queue', {
      visibilityTimeout: cdk.Duration.seconds(300)
    });

    const role = iam.Role.fromRoleArn(this, "myrole", "arn:aws:iam::1234:role/myrole")

    const evtHandler = new lambda.Function(this, 'MyLambda', {
      code: lambda.Code.fromInline(`
        exports.handler =  async function(event, context) {
        console.log("EVENT: \n" + JSON.stringify(event, null, 2))
        return context.logStreamName
      }`),
      handler: 'index.handler',
      runtime: lambda.Runtime.NODEJS_8_10,
      role
    });

    evtHandler.addEventSource(new SqsEventSource(queue, {
      batchSize: 10 // default
    }));

will set up a lambda that polls SQS. Awesome! However, it also generates this CF 

myrolePolicy99283C52:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - sqs:ReceiveMessage
              - sqs:ChangeMessageVisibility
              - sqs:GetQueueUrl
              - sqs:DeleteMessage
              - sqs:GetQueueAttributes
            Effect: Allow
            Resource:
              Fn::GetAtt:
                - sqseventloaderusw2tstF27FC9C7
                - Arn
        Version: "2012-10-17"
      PolicyName: snssqslambdaPolicy16AEE704
      Roles:
        - myrole

The problem is, myrole already has a policy that will allow those things. It also means the thing executing this script needs to have permissions to create/update Policies/Roles :(

Security in my org will not be super happy with allowing that kind of thing. Is there a way to stop it from generating policies and attaching them to roles?

like image 228
Tim Avatar asked Oct 08 '19 18:10

Tim

2 Answers

For anyone coming across this later, setting the option mutable to false solved this for me.

So, in OP's example, the role would change to:

const role = iam.Role.fromRoleArn(this, "myrole", "arn:aws:iam::1234:role/myrole", {mutable: false})

For reference: https://github.com/aws/aws-cdk/issues/4422

like image 88
user1231257 Avatar answered Sep 25 '22 03:09

user1231257

When I do my development, I usually have the docs setup in another window in my workspace. You just need to set the property autoCreatePolicy to false.

Per the docs: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-sqs.Queue.html#autocreatepolicy

like image 26
Digicoder Avatar answered Sep 23 '22 03:09

Digicoder
Sign in to Comment

Related questions

How to get RDS instance hostname in CDK app?
AWS CDK - how does one debug a hanging deploy?
VPC Peering via aws-cdk
Cross Account SNS Lambda Subscription using CDK
AWS-CDK - DynamoDB Initial Data
Adding entry to route table with CDK (typescript) when its private subnet already exists
upgrading aws-cdk results in ENOENT error
AWS CDK - post deployment actions
AWS CDK: How to create an IAM role that can be assumed by multiple principals?
Creating Cognito User Pool With Custom Domain name from AWS CDK
How to integrate API Gateway with s3 in CDK
What are other CDK templates besides sample-app?
Is it possible to run cdk commands from an IAM role?
Is there a way of running AWS Step Functions locally when defined by CDK?
Add Lambda trigger to imported Cognito User Pool with AWS CDK
How to do database schema migrations as part of AWS CDK deploy?
What's the best way to consume Parameter Store value in AWS CDK
AWS CDK: run external build command in CDK sequence?
aws cdk push image to ecr

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!