[custom-resources] allow for no policy to be specified

[mh-love]

I do not have the ability to modify roles and the CDK assumes I do for an AwsCustomResource. I can specify the execution role for the custom resource Lambda, but I have to specify a policy, and cdk deploy fails for me because I don't have access to modify the execution role with the new policy. I would expect for policy to be optional if role is specified. I am in a corporate setting where permissions are "locked down" and roles exist but can not be modified.

Reproduction Steps

export class ExistingS3BucketEventSource extends CDK.Construct {
  constructor(scope: CDK.Construct, id: string, props: S3NotificationLambdaProps) {
    super(scope, id);

    new CR.AwsCustomResource(scope, id + 'CustomResource', {
      onCreate: {
        ...
      },
      onDelete: {
        ...
      },
      policy: CR.AwsCustomResourcePolicy.fromStatements([]), // I don't want this! Also specifying no statements doesn't work!
      role: props.role // I want permissions from here!
    });

    props.lambda.addPermission('AllowS3Invocation', {
      action: 'lambda:InvokeFunction',
      principal: new IAM.ServicePrincipal('s3.amazonaws.com'),
      sourceArn: props.bucket.bucketArn
    });
  }
}

interface S3NotificationLambdaProps {
  role: IAM.IRole;
  bucket: S3.IBucket;
  lambda: Lambda.IFunction;
  events: string[];
  prefix: string;
}

What did you expect to happen?

I do not want to modify the execution role.

What actually happened?

The execution role is modified.

Environment

• CDK CLI Version : 1.90.0 (build 7edba31)
• Framework Version: 1.90.0
• Node.js Version: v12.18.3
• OS : Catalina 10.15.7
• Language (Version): TypeScript (3.8.3)

Other

---

This is 🐛 Bug Report

[rix0rrr]

I guess I don't mind that field being optional.

In the mean time, you can use role.withoutPolicyUpdates() (or call Role.fromRoleName(..., { mutable: false })) to prevent your existing role from being attempted to be updated.

[mainframenzo]

@rix0rrr Very useful tip. Thank you!

[BLasan]

@rix0rrr Still opened?

[BLasan]

@rix0rrr Can I give a try for this?

[jacobsnapp]

I guess I don't mind that field being optional.

In the mean time, you can use role.withoutPolicyUpdates() (or call Role.fromRoleName(..., { mutable: false })) to prevent your existing role from being attempted to be updated.

@rix0rrr - I have used Role.from_role_arn( ..., mutable=False) and role.without_policy_updates() with no luck (in Python). AwsCustomResource does not seem to respect the immutable role and always adds duplicate inline policies.

[mattiamatrix]

Hello, I am also having the same issue with CDK 2.17.0. Did anyone find a workaround for this? I currently have a role with 60+ replicated inline policies and almost reached the characters limit.

[mattiamatrix]

#19114 might partially help

Update: tested this morning and the AwsCustomResource policy is not minified.

[haslam22]

Experiencing the same problem. I need to provide an immutable role to AwsCustomResource which already has the correct permissions to do what I want. I'm not allowed to update an IAM role with a new policy in my corporate environment.

No workaround available as far as I can see, it always tries to attach a policy if role is defined: aws-custom-resource.ts#L409

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.