Reputation: 328
AWS CDK is keeping ask me to update the IAM role even if I have already setup the permissions
I am using CDK to deploy my web service, the Docker image has been push to ECR then I use CDK deploy application to ECS with Fargate tasks
but when I deploy the CDK script, it is keeping ask me to allow it update my IAM role
IAM Statement Changes
- ecr:GetAuthorizationToken
- ecr:BatchCheckLayerAvailability
- ecr:BatchGetImage
- ecr:GetDownloadUrlForLayer
I don't think it's a good idea to allow CI runner have the permission to update IAM resource so I manually update it. But CDK still ask me to allow it.
Does that means I cannot avoid CDK to update my IAM role?
I try to trace the source code, but I am not familiar with TS.
https://github.com/aws/aws-cdk/blob/0f0e2055cab08551bc6e5dfb8a1b6219368263c5/packages/%40aws-cdk/aws-ecr/lib/repository.ts#L361
update on 2019/12/31
After consult with AWS community, I got another solution.
If you don't want to allow CI server ask for updating your IAM policies,
you should use aws_ecs.ContainerImage.from_registry()
instead of aws_ecs.ContainerImage.from_ecr_repository()
Upvotes: 1
Views: 1664
Answers (1)
Reputation: 8122
CDK still asks you to update the IAM Role since CDK creates a cloudformation template behind the scenes. This cloudformation template needs permissions in order to create your CDK stack, in your case ECR. The CDK flag changes that involve IAM and ask you for confirmation before proceeding. Therefore, this is the minimal permissions the CDK needs in order to create the stack.
So, no, this means you cannot avoid CDK to update your IAM role.
In order to add policies to this IAM role, use .addToPolicy
These policies will be created with the role, whereas those added by
addToPolicyare added using a separate CloudFormation resource (allowing a way around circular dependencies that could otherwise be introduced).
role.addToPolicy(new iam.PolicyStatement({
effect: iam.Effect.DENY,
resources: [bucket.bucketArn, otherRole.roleArn],
actions: ['ec2:SomeAction', 's3:AnotherAction'],
conditions: {StringEquals: {
'ec2:AuthorizedService': 'codebuild.amazonaws.com',
}}}));
Upvotes: 1
Related Questions
- AWS CDK - Cannot assume role in Lambda for fine grained authorization
- AWS CDK deploy using role
- AWS IAM role chaining doesn't grant the policy from the child role
- aws cdk IAM Account trust role gives 'Condition must be prefaced by a vendor" error
- Cannot assume lookup role
- Add policy to the auto created IAM role
- Cannot assume role by code pipeline on code pipeline action AWS CDK
- AWS CDK apply path to lambda role created
- AWS assume role access denied while using SDK
- AWS CDK IAM Federated and User IamRoleAccess?