Skip to content
This repository has been archived by the owner on May 23, 2024. It is now read-only.

Cloudformation IAM Role missing managed policies #10

Open
tlelson opened this issue Nov 9, 2018 · 1 comment
Open

Cloudformation IAM Role missing managed policies #10

tlelson opened this issue Nov 9, 2018 · 1 comment
Labels
new-mapping New mapping request

Comments

@tlelson
Copy link

tlelson commented Nov 9, 2018

Describe the bug
I created an IAM Role with managed policies but the generated CFN did not contain them.

Related Mapping
iam:AttacheRoleToPolicy

Related Language
Cloudformation

To Reproduce
Steps to reproduce the behavior:

  1. Go to IAM in console
  2. Create a role with managed policies
  3. Observe generated CFN

Expected behavior
Expected CFN like this:

AWSTemplateFormatVersion: "2010-09-09"
Metadata:
  Generator: "console-recorder"
Description: ""
Resources:
  DevDataUser:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "DevDataUser"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - "sts:AssumeRole"
            Principal:
              AWS: "XXXXXXXXXX"
            Condition:
              Bool:
                aws:MultiFactorAuthPresent: "true"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
        - arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess
        - arn:aws:iam::aws:policy/AmazonRedshiftReadOnlyAccess
        - arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess

Actual behaviour
Got CFN like this:

AWSTemplateFormatVersion: "2010-09-09"
Metadata:
    Generator: "console-recorder"
Description: ""
Resources:
        iamdea1b3b:
            Type: "AWS::IAM::Role"
            Properties:
            RoleName: "DevDataUser"
            AssumeRolePolicyDocument: 
                    Version: "2012-10-17"
                    Statement: 
                      - 
                            Effect: "Allow"
                            Action: "sts:AssumeRole"
                            Principal: 
                                AWS: "XXXXXXXXXX"
                            Condition: 
                                Bool: 
                                    aws:MultiFactorAuthPresent: "true"

Additional context

Interestingly, the SDK code all use the AttachRolePolicy method after creating the role. I did not test them but they look good. I suppose this is a nuance of Cloudformation that i imagine is a little harder to capture than with the REST APIs
@iann0036
Copy link
Owner

iann0036 commented Nov 9, 2018
edited

Thanks for raising.

Issue is because the call happens after creation, so would be implemented by #2

Will prioritise this issue when I start on that.

@iann0036 iann0036 added bug Something isn't working new-mapping New mapping request and removed bug Something isn't working labels Jan 3, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
new-mapping New mapping request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tlelson @iann0036