CODEWITHSUNDEEP
aws-cdk
Tim
Tim

Reputation: 1235

AWS CDK - Stop Generating Policies

The following CDK code 

    const queue = new sqs.Queue(this, 'my-sqs-queue', {
      visibilityTimeout: cdk.Duration.seconds(300)
    });

    const role = iam.Role.fromRoleArn(this, "myrole", "arn:aws:iam::1234:role/myrole")

    const evtHandler = new lambda.Function(this, 'MyLambda', {
      code: lambda.Code.fromInline(`
        exports.handler =  async function(event, context) {
        console.log("EVENT: \n" + JSON.stringify(event, null, 2))
        return context.logStreamName
      }`),
      handler: 'index.handler',
      runtime: lambda.Runtime.NODEJS_8_10,
      role
    });

    evtHandler.addEventSource(new SqsEventSource(queue, {
      batchSize: 10 // default
    }));

will set up a lambda that polls SQS. Awesome! However, it also generates this CF 

myrolePolicy99283C52:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - sqs:ReceiveMessage
              - sqs:ChangeMessageVisibility
              - sqs:GetQueueUrl
              - sqs:DeleteMessage
              - sqs:GetQueueAttributes
            Effect: Allow
            Resource:
              Fn::GetAtt:
                - sqseventloaderusw2tstF27FC9C7
                - Arn
        Version: "2012-10-17"
      PolicyName: snssqslambdaPolicy16AEE704
      Roles:
        - myrole

The problem is, myrole already has a policy that will allow those things. It also means the thing executing this script needs to have permissions to create/update Policies/Roles :(

Security in my org will not be super happy with allowing that kind of thing. Is there a way to stop it from generating policies and attaching them to roles?

Upvotes: 8

Views: 2852

Answers (2)

user1231257
user1231257

Reputation: 109

For anyone coming across this later, setting the option mutable to false solved this for me.

So, in OP's example, the role would change to:

const role = iam.Role.fromRoleArn(this, "myrole", "arn:aws:iam::1234:role/myrole", {mutable: false})

For reference: https://github.com/aws/aws-cdk/issues/4422

Upvotes: 7

Digicoder
Digicoder

Reputation: 1875

When I do my development, I usually have the docs setup in another window in my workspace. You just need to set the property autoCreatePolicy to false.

Per the docs: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-sqs.Queue.html#autocreatepolicy

Upvotes: 1

Related Questions