Home > Enterprise >  How to create an IAM PolicyDocument with multiple statements using CDK Python?
How to create an IAM PolicyDocument with multiple statements using CDK Python?

Time:12-18

I am trying to write a IAM PolicyDocument with multiple statements using python in cdk but I couldn't find any examples anywhere.

This is what I have in YAML which I am trying to write in CDK using python.

Lambda:
    Type: AWS::IAM::Role
    Properties:
      RoleName:
        Fn::Sub: LambdaRole
      Policies:
        - PolicyName:
            Fn::Sub: LambdaPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: ADPermissions
                Effect: Allow
                Action:
                  - ssm:SendCommand
                  - ec2:DescribeInstances
                  - ds:DescribeDirectories
                  - ssm:GetParameter
                  - ssm:PutParameter
                  - ssm:StartAutomationExecution
                  - dynamodb:Scan
                  - dynamodb:Query
                  - sts:AssumeRole
                Resource: "*"
              - Sid: SQS
                Effect: Allow
                Action:
                  - sqs:SendMessage
                Resource:"*"
              - Sid: CloudWatch
                Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource:"*"

I wrote the following for based on the YAML but it is giving me errors. Any help for this is highly appreciated.

   RolePolicy.add_to_policy(
            iam.PolicyDocument(
                statements = [
                    iam.PolicyStatement(
                        effect = iam.Effect.ALLOW,
                        actions = [
                            'ssm:SendCommand', 
                            'ec2:DescribeInstances', 
                            'ds:DescribeDirectories', 
                            'ssm:GetParameter', 
                            'ssm:PutParameter', 
                            'ssm:StartAutomationExecution', 
                            'sts:AssumeRole'
                        ],
                        resources = ['*']
                     )
                ]
            ),             
            iam.PolicyDocument(
                statements = [
                    iam.PolicyStatement(
                        effect = iam.Effect.ALLOW,
                        actions = [
                            'sqs:SendMessage'
                        ],
                        resources = ['*']
                    )
                ]
            ),            
            iam.PolicyDocument(
                statements = [
                    iam.PolicyStatement(
                        effect = iam.Effect.ALLOW,
                        actions = [
                            'logs:CreateLogGroup', 
                            'logs:CreateLogStream', 
                            'logs:PutLogEvents'
                        ],
                        resources = ['*']
                    )
                ]
            )
        )   

CodePudding user response:

That particular API only accepts a single statement, e.g.

RolePolicy.add_to_policy(
    iam.PolicyStatement(
        effect = iam.Effect.ALLOW,
        actions = [
            'ssm:SendCommand', 
            'ec2:DescribeInstances', 
            'ds:DescribeDirectories', 
            'ssm:GetParameter', 
            'ssm:PutParameter', 
            'ssm:StartAutomationExecution', 
            'sts:AssumeRole'
         ],
         resources = ['*']
    )
)   

So you would have to call it multiple times with each policy, assuming RolePolicy is of type PolicyDocument.

Please refer to: https://docs.aws.amazon.com/cdk/api/latest/python/aws_cdk.aws_iam/Role.html#aws_cdk.aws_iam.Role.add_to_policy

Alternatively, you could investigate one of the other APIs that will allow you to attach the entire Policy to a role at once: https://docs.aws.amazon.com/cdk/api/latest/python/aws_cdk.aws_iam/Role.html#aws_cdk.aws_iam.Role.attach_inline_policy or https://docs.aws.amazon.com/cdk/api/latest/python/aws_cdk.aws_iam/Role.html#aws_cdk.aws_iam.Role.add_managed_policy

The structure here would be more like:

Role.attach_inline_policy(
    iam.Policy(self, 'Policy'
        statements = [
            iam.PolicyStatement(
                effect = iam.Effect.ALLOW,
                actions = [
                    'ssm:SendCommand', 
                    'ec2:DescribeInstances', 
                    'ds:DescribeDirectories', 
                    'ssm:GetParameter', 
                    'ssm:PutParameter', 
                    'ssm:StartAutomationExecution', 
                    'sts:AssumeRole'
                 ],
                 resources = ['*']
            ),
            iam.PolicyStatement(
                effect = iam.Effect.ALLOW,
                actions = [
                    'sqs:SendMessage'
                ],
                resources = ['*']
            ),
            iam.PolicyStatement(
                effect = iam.Effect.ALLOW,
                actions = [
                    'logs:CreateLogGroup', 
                    'logs:CreateLogStream', 
                    'logs:PutLogEvents'
                ],
                resources = ['*']
            )
        ]
    )
)   
  • Related