diff --git a/packages/@aws-cdk/aws-iam/lib/private/immutable-role.ts b/packages/@aws-cdk/aws-iam/lib/private/immutable-role.ts index d894cc8dbc722..fd70bfa3786d5 100644 --- a/packages/@aws-cdk/aws-iam/lib/private/immutable-role.ts +++ b/packages/@aws-cdk/aws-iam/lib/private/immutable-role.ts @@ -22,7 +22,7 @@ import { IRole } from '../role'; export class ImmutableRole implements IRole { public readonly assumeRoleAction = this.role.assumeRoleAction; public readonly policyFragment = this.role.policyFragment; - public readonly grantPrincipal = this.role.grantPrincipal; + public readonly grantPrincipal = this; public readonly roleArn = this.role.roleArn; public readonly roleName = this.role.roleName; public readonly node = this.role.node; diff --git a/packages/@aws-cdk/aws-iam/test/immutable-role.test.ts b/packages/@aws-cdk/aws-iam/test/immutable-role.test.ts index 7a39b761bbb7f..f736b5a3c8680 100644 --- a/packages/@aws-cdk/aws-iam/test/immutable-role.test.ts +++ b/packages/@aws-cdk/aws-iam/test/immutable-role.test.ts @@ -62,17 +62,39 @@ describe('ImmutableRole', () => { }); test('ignores calls to addToPolicy', () => { - mutableRole.addToPolicy(new iam.PolicyStatement({ + immutableRole.addToPolicy(new iam.PolicyStatement({ resources: ['*'], - actions: ['s3:*'], + actions: ['iam:*'], })); - immutableRole.addToPolicy(new iam.PolicyStatement({ + mutableRole.addToPolicy(new iam.PolicyStatement({ resources: ['*'], - actions: ['iam:*'], + actions: ['s3:*'], })); - expect(stack).toHaveResourceLike('AWS::IAM::Policy', { + expect(stack).toHaveResource('AWS::IAM::Policy', { + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Resource": "*", + "Action": "s3:*", + "Effect": "Allow", + }, + ], + }, + }); + }); + + test('ignores grants', () => { + + iam.Grant.addToPrincipal({ + grantee: immutableRole, + actions: ['s3:*'], + resourceArns: ['*'], + }); + + expect(stack).not.toHaveResourceLike('AWS::IAM::Policy', { "PolicyDocument": { "Statement": [ {