CDK Grants into AWS Managed Policy

[0xjjoyy]

CDK Grants option to specify either an existing AWS Managed Policy to to create the Grant as a new AWS Managed Policy

Use Case

AWS IAM Best Practice
Use Customer Managed Policies Instead of Inline Policies

It's easier to manage, version, control, and review AWS Customer Managed Policies compared to Inline policies.

Users should have the option to utilize AWS Customer Managed Policies, rather than only inline policies.

Proposed Solution

Allow the ability to create a new AWS Customer Managed Policy or specify an existing AWS Customer Managed Policy. Rather than the default which is always an Inline Policy.

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[athewsey]

+1: I was surprised recently to learn that ManagedPolicy doesn't implement IGrantable. Any updates on this?

I'd like to build a stack/app that outputs a ManagedPolicy with required permissions for stack resources (specifically things like S3 buckets, SSM param read/write, SFn state machine execution...) - so that this policy can be attached to/removed from roles/users/groups as required.

Today, it seems like I'd need to manually build up lists of PolicyStatements to achieve this, since the high-level resource methods like Bucket.grant_read(...) all require IGrantables so can't work with a ManagedPolicy?

[elacy]

Here is a quick work around for anyone else that runs into this problem

import cdk = require('monocdk');
import iam = require("monocdk/aws-iam");

export class PrincipalPolicy extends iam.ManagedPolicy implements iam.IPrincipal {
    private principal: iam.IPrincipal;

    constructor(scope: cdk.Construct, id: string, props: iam.ManagedPolicyProps) {
        super(scope, id, props);

        if ((props.users?.length || 0) + (props.roles?.length || 0) + (props.groups?.length || 0) !== 1) {
            throw Error("PrincipalPolicy must have one and only one principal");
        }

        if (props.users?.length === 1) {
            this.principal = props.users[0];
        }

        if (props.roles?.length === 1) {
            this.principal = props.roles[0];
        }

        if (props.groups?.length === 1) {
            this.principal = props.groups[0];
        }
    }

    /**
     * (experimental) When this Principal is used in an AssumeRole policy, the action to use.
     *
     * @experimental
     */
    get assumeRoleAction(): string {
        return this.principal.assumeRoleAction;
    }

    /**
     * (experimental) Return the policy fragment that identifies this principal in a Policy.
     *
     * @experimental
     */
    get policyFragment(): iam.PrincipalPolicyFragment {
        return this.principal.policyFragment;
    }

    /**
     * (experimental) The AWS account ID of this principal.
     *
     * Can be undefined when the account is not known
     * (for example, for service principals).
     * Can be a Token - in that case,
     * it's assumed to be AWS::AccountId.
     *
     * @experimental
     */
    get principalAccount(): string | undefined {
        return this.principal.principalAccount;
    }

    /**
     * (deprecated) Add to the policy of this principal.
     *
     * @returns true if the statement was added, false if the principal in
     * question does not have a policy document to add the statement to.
     * @deprecated Use `addToPrincipalPolicy` instead.
     */
    public addToPolicy(statement: iam.PolicyStatement): boolean {
        super.addStatements(statement);
        return true;
    }

    /**
     * (experimental) Add to the policy of this principal.
     *
     * @experimental
     */
    public addToPrincipalPolicy(statement: iam.PolicyStatement): iam.AddToPrincipalPolicyResult {
        super.addStatements(statement);
        return {
            statementAdded: true,
            policyDependable: this
        };
    }

    /**
     * (experimental) The principal to grant permissions to.
     *
     * @experimental
     */

    get grantPrincipal(): iam.IPrincipal {
        return this;
    }
}

[automartin5000]

Just ran into the inline policy limit where this could've solved for that. Reported bug here: #18457