I want to update the trustpolicy of existing IAM role using AWS CDK

Question

I want to update the trust policy of an existing IAM role using AWS CDK. But I am not finding the exact cdk property to do it. Please help me.

Lets say Rolename my_rolename_1 with below trust policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::12345:role/role_1"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Now I want to add another aws account to trust policy arn:aws:iam::23451:role/role_2

The trust policy of IAM role should get updated with

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::12345:role/role_1",
                    "arn:aws:iam::23451:role/role_2"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

I am able to import the role using below command

const Existingrole = iam.Role.fromRoleArn(this, 'Role', 'arn:aws:iam::11111:role/my_rolename_1',{
        mutable: true,
     });

But couldn't find exact property to attach/update trustpolicy with new cross account details.

Answer 1

The CDK cannot modify existing, external resources. The reference returned from the fromRoleArn method is read-only.

The CDK CLI does have an actual (experimental) cdk import capability to bring existing resources into a CDK app. AWS::IAM::Role is a resource type that is supported for importing. After you import the role, you can modify it like other CDK resources. Or, instead of importing, you could simply create a new role and delete the existing role.