[aws-iam] Create a ManagedPolicy from a Grant

[trusanen-bpg]

I'd like to create a ManagedPolicy with permissions to read a KMS-encrypted S3 bucket. To grant these permissions, the Bucket-construct has the grantRead-method that can apply the suitable permissions to the bucket- and key policies regarding the given principal, but creating a ManagedPolicy out of the resulting Grant proved to be difficult.

Use Case

Suppose AWS user accounts are managed manually through the console. It would ease the management of the permissions if the managed policies could be easily created with CDK.

Proposed Solution

Add a new principal: ManagedPolicyPrincipal. It would be a combination of a managed policy and some Principal. The method would add the required permissions to all the policy documents: bucket policy, key policy and the managed policy. Here's a rough idea of the API:

policy = ManagedPolicy(stack, "Policy")
principal = AccountRootPrincipal()

principalWithPolicy = ManagedPolicyPrincipal(policy, principal)
bucket.grantRead(principalWithPolicy)

---

This is a 🚀 Feature Request

[rix0rrr]

That's a good idea. I wonder if it makes sense to make a ManagedPolicy implements IGrantable just for this.

[rix0rrr]

(By the way you could probably implement this class today yourself. It could be in the upstream library but it doesn't have to be)

[trusanen-bpg]

That's a good idea. I wonder if it makes sense to make a ManagedPolicy implements IGrantable just for this.

Thanks.

I was thinking about this as well, but then it occurred to me that many times setting the permissions only for the ManagedPolicy is not enough. In this example, reading the bucket would not be possible unless the KMS key policy would be updated to allow the usage of the key by some principal. As the framework cannot know to which principals the ManagedPolicy would ultimately be attached to, I thought that having a class with a reference to some principal as well would make sense.

[kornicameister]

I actually just stumbled onto that again. Having methods like grantRead or grantPublish is quite convenient but they usually change default policy in group, role or whatever. Having named policies that can be later on attached to said groups roles seems nicer.

i.e.

a = iam.Policy(...)
b = iam.ManagedPolicy(...)

s3.Bucket(...).grant_put(a)
s3.Bucket(...).grant_put(b)

that gives us correct policies or managed policies with correct statements.

Perhaps having Policy or ManagedPolicy implementing iam.IGrantable would be enough.
Or having granting methods to support accepting iam.Policy or iam.ManagedPolicy.

All in all, one can take iam.Grant and from it obtain statements to include in policy but that generates a duplicate permission. Consider:

bucket = s3.Bucket(...)
user = iam.User(...)
policy = iam.Policy(users=[user])

policy.addStatements(bucket.grantPut(user).principal_statement)

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.