(iam): how to create combined managed policy?

[akefirad]

Is there a way to create combined policy using CDK?

Use Case

I'm trying to import (AWS or customer) managed policies into a new managed policy. I couldn't find any info regarding how to do this.

This is needed to cope with size limitations (e.g. number of policies in a group).

Other

As a workaround I did this:

const myManagedPolicy = ...;
const myCombinedPolicy = new iam.ManagedPolicy(this, "MyCombinedPolicy", {
  statements: myManagedPolicy.document.toJSON().Statement.map((s: any) => iam.PolicyStatement.fromJson(s))
});

This works fine, but has two limitations:

1. I can't assign any SID to the statements.
2. It won't work with AWS managed policy (since they're of type iam.IManagedPolicy)

[redbaron]

1. Try passing autoAssignSids: false to the combined managed policy. You can also reuse statements from myManagedPolicy constructor, then you can avoid JSON roundtrip

2. You'll have to make calls with aws-sdk yourself to query AWS managed policies I am afraid.

[akefirad]

I can't assign any SID to the statements.

I think this is not relevant. I misspoke. Never mind.

You can also reuse statements from myManagedPolicy constructor

I don't necessarily have access to them.

You'll have to make calls with aws-sdk...

Right. I did it in a different way.

So based on the comment, my understanding is that, there's no straightforward way to do and it's not to be considered as a feature.

[redbaron]

There is a history of adding lookup functions to contexts: https://docs.aws.amazon.com/cdk/latest/guide/context.html#context_methods . Maybe managed policy lookups can be added to the list?

[rix0rrr]

Yes, the contents of AWS Managed Policies are not available to CDK, without querying. It could be added, but this is of value to only a few individuals so unlikely to make it into CDK core.

An easy way to go about this is write a script that queries the policies you're looking for, writes the result to a .json file, and have your CDK app read and apply that json file at runtime.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.