How to prevent generating default policies during IAM role creation in AWS CDK

Question

I'm developing the App in AWS CDK which will create ESC scheduled task, event bridge rule and some IAM roles with inline policies. This resources are created in same stack. For better controlling I decided to describe clearly IAM roles and appropriate inline policies (pseudo code is down below).

//Role 1
    private ExecutionRole (): iam.Role {
        const RolePolicy = new iam.PolicyDocument ({
            statements:
                [
                    new iam.PolicyStatement({
                        resources: ['some:Actions*'],
                        actions: ['some:Actions'],
                        effect: iam.Effect.ALLOW
                    })
                ]
        });

        const execRole = new iam.Role(this, 'Execution-Role', {
            assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
            inlinePolicies: {RolePolicy}
        });

        return execRole;
    }
// Role 2
    private EventBridgeRole(): iam.Role {
        const RolePolicy = new iam.PolicyDocument({
            statements:
                [
                    new iam.PolicyStatement({
                        resources: ['some:Resources'],
                        actions: ['some:Actions'],
                        effect: iam.Effect.ALLOW,
                    })
                ],
        });

        const eventBridgeRole = new iam.Role(this, 'Event-Bridge-Role', {
            assumedBy: new iam.ServicePrincipal('events.amazonaws.com'),
            inlinePolicies: {RolePolicy},
        });

        return eventBridgeRole;
    }

This functions are used in another functions which create Task Definition and Event Bridge Target

// Task Definition
private FargateTaskDefinition(): ecs.FargateTaskDefinition {
        const taskDefName = 'blaBlaTaskDefinition'
        const taskRole = this.TaskRole();
        const taskExecRole = this.ExecutionRole();

        const taskDefinition = new ecs.FargateTaskDefinition(this, taskDefName, {
            cpu: 1024,
            family: taskDefName,
            memoryLimitMiB: 2048,
            taskRole: taskRole,
            executionRole: ExecutionRole
        });

        return taskDefinition;
    }

// Event Bridge Target
    private EventBridgeTarget(): eventTargets.EcsTask {
        const vpc = 'some-vpc-id';
        const cluster = 'ecs-cluster-id';
        const subnets = 'some-subnets';
        const taskDefinition = this.FargateTaskDefinition();
        const ebTargetRole = this.createEventBridgeTargetRole(cluster, taskDefinition);

        const ebTarget = new eventTargets.EcsTask({
            taskDefinition,
            cluster,
            role: ebTargetRole,
            platformVersion: ''platform-version,
            subnetSelection: { subnets },
        });

        return eventBridgeTarget;
    }

When I perform cdk deploy all resources are created but IAM roles contains additional autogenerated policy statement. It's true for both roles: autogeneratedstatements

Is there any way to prevent creation this autogenerated policies? Also may be someone found a way how to provide names for this policies.

Appreciate for any advices. Thank you!

Answer 1

CDK constructs helpfully add required policies to roles. If instead you want explicit control over the policies that get added to a role, use the withoutPolicyUpdates method on a Role instance to return an "immutable" IRole that can be passed around:

Use the object returned by this method if you want this Role to be used by a construct without it automatically updating the Role's Policies. If you do, you are responsible for adding the correct statements to the Role's policies yourself.