AWS CDK - role and policy creation

amazon-web-services amazon-cloudformation aws-cdk
user2081381 picture user2081381 · May 29, 2020 · Viewed 10.3k times · Source

How can I translate this CloudFormation to CDK (JavaScript or Java)? I was trying to do it, but this is the first time that I work with CDK and I'm not sure how to do it.

FargateTaskExecutionServiceRole:
Type: AWS::IAM::Role
Properties:
  AssumeRolePolicyDocument:
    Statement:
    - Effect: Allow
      Principal:
        Service: 
          - ecs-tasks.amazonaws.com
      Action:
        - sts:AssumeRole
  Policies:
    - PolicyName: AmazonECSTaskExecutionRolePolicy
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Action:
            - 'ecr:GetAuthorizationToken'
            - 'ecr:BatchCheckLayerAvailability'
            - 'ecr:GetDownloadUrlForLayer'
            - 'ecr:BatchGetImage'
            - 'logs:CreateLogStream'
            - 'logs:PutLogEvents'
          Resource: '*'

Answer

dmahapatro picture dmahapatro · May 29, 2020

You should refer to API reference document to get a clear picture. There are examples for such use cases.

However, since you have already asked here and my hands has been itchy to provide you with an answer, so here goes the TypeScript implementation of just the IAM part:

import { 
   ManagedPolicy, 
   Role, 
   ServicePrincipal, 
   PolicyStatement, 
   Effect 
} from '@aws-cdk/aws-iam';

....
....

const ecsFargateServiceRole = new Role(this, 'FargateTaskExecutionServiceRole', {
  assumedBy: new ServicePrincipal('ecs-tasks.amazonaws.com')
});

// Add a policy to a Role
ecsFargateServiceRole.addToPolicy(
  new PolicyStatement({
    effect: Effect.ALLOW,
    resources: ['*'],
    actions: [            
      'ecr:GetAuthorizationToken',
      'ecr:BatchCheckLayerAvailability',
      'ecr:GetDownloadUrlForLayer',
      'ecr:BatchGetImage',
      'logs:CreateLogStream',
      'logs:PutLogEvents'
    ]
  })
);

// Add a managed policy to a role you can use
ecsFargateServiceRole.addManagedPolicy(
    ManagedPolicy.fromAwsManagedPolicyName('AmazonECSTaskExecutionRolePolicy')
);

....
....

UPDATE:

When you are adding an AWS managed policy to a role, you can get the managed policy as a reference by its name or by its ARN. The important part is that if an AWS Managed policy is used as above by its name or ARN, then you will not need to use the policy statement explicitly. From my answer above, you can use the managed policy approach rather than using the policy statement.

An easy way to define the role now would be:

const ecsFargateServiceRole = new Role(this, 'FargateTaskExecutionServiceRole', {
  assumedBy: new ServicePrincipal('ecs-tasks.amazonaws.com'),
  managedPolicies: [
    ManagedPolicy.fromAwsManagedPolicyName('AmazonECSTaskExecutionRolePolicy')
  ]
});

Note that I have excluded the constructor for the Construct for brevity.

Related questions

What is the difference between Elastic Beanstalk and CloudFormation for a .NET project?

I have developed a .NET MVC application and have started playing around with AWS and deploying it via the Visual Studio Toolkit. I have successfully deployed the application using the Elastic Beanstalk option in the toolkit. As I was going …

Read More
User is not authorized to perform: cloudformation:CreateStack

I'm trying out Serverless to create AWS Lambdas and while creating a project using the command serverless project create I'm getting the following error. AccessDenied: User: arn:aws:iam::XXXXXXXXX:user/XXXXXXXXX is not authorized to perform: cloudformation:CreateStack on …

Read More
How can I quickly and effectively debug CloudFormation templates?

CloudFormation is a powerful AWS offering that allows the programmatic creation of AWS resource stacks, such as the web tier of an application, a high performance computing cluster, or an entire application stack, with a single API call. It is …

Read More