How do I generate an IAM service specific credential using aws cdk?

Question

I'm trying to figure out how to generate Service Specific Credentials for an IAM User with the AWS CDK.

I can see how to achieve this from:

• Admin Console: IAM > Users > Security credentials:
  • HTTPS Git credentials for AWS CodeCommit, and
  • Credentials for Amazon Managed Apache Cassandra Service (MCS)
• API: CreateServiceSpecificCredential
• CLI: create-service-specific-credential

However I can't see how to achieve this with the AWS CDK (or from Cloud Formation for that matter).

If this is not currently supported from the CDK then what would be the recommended approach?

Answer 1

Building on what @JeffreyGoines replied above, a Construct calling CreateServiceSpecificCredential:

export class CodeCommitGitCredentialsProps {
  userName: string
}

export class CodeCommitGitCredentials extends Construct {
  readonly serviceSpecificCredentialId: string;
  readonly serviceName: string;
  readonly serviceUserName: string;
  readonly servicePassword: string;
  readonly status: string;

  constructor(scope: Construct, id: string, props: CodeCommitGitCredentialsProps) {
    super(scope, id);

    // Create the Git Credentials required
    const gitCredResp = new AwsCustomResource(this, "gitCredentials", {
      // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/IAM.html#createServiceSpecificCredential-property
      onCreate: {
        service: "IAM",
        action: "createServiceSpecificCredential",
        parameters: {
          ServiceName: "codecommit.amazonaws.com",
          UserName: props.userName
        },
        physicalResourceId: PhysicalResourceId.fromResponse("ServiceSpecificCredential.ServiceSpecificCredentialId")
      },
      // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/IAM.html#deleteServiceSpecificCredential-property
      onDelete: {
        service: "IAM",
        action: "deleteServiceSpecificCredential",
        parameters: {
          ServiceSpecificCredentialId: new PhysicalResourceIdReference(),
          UserName: props.userName
        }
      },
      policy: AwsCustomResourcePolicy.fromSdkCalls({
        resources: AwsCustomResourcePolicy.ANY_RESOURCE,
      }),
    });

    this.serviceSpecificCredentialId = gitCredResp.getResponseField("ServiceSpecificCredential.ServiceSpecificCredentialId");
    this.serviceName = gitCredResp.getResponseField("ServiceSpecificCredential.ServiceName");
    this.serviceUserName = gitCredResp.getResponseField("ServiceSpecificCredential.ServiceUserName");
    this.servicePassword = gitCredResp.getResponseField("ServiceSpecificCredential.ServicePassword");
    this.status = gitCredResp.getResponseField("ServiceSpecificCredential.Status");
  }
}

And a usage example:

    // User created for Git Push/Pull
    this.user = new User(this, `codeCommitGitMirrorUser`, {
      userName: `${props.repository.repositoryName}-GitMirrorUser`
    });

    props.repository.grantPullPush(this.user);

    this.gitCredentials = new CodeCommitGitCredentials(this, "codeCommitGitCredentials", {
      userName: this.user.userName
    });