Cloudformation IAM Role missing managed policies
tlelson opened this issue · comments
Describe the bug
I created an IAM Role with managed policies but the generated CFN did not contain them.
Related Mapping
iam:AttacheRoleToPolicy
Related Language
Cloudformation
To Reproduce
Steps to reproduce the behavior:
- Go to IAM in console
- Create a role with managed policies
- Observe generated CFN
Expected behavior
Expected CFN like this:
AWSTemplateFormatVersion: "2010-09-09"
Metadata:
Generator: "console-recorder"
Description: ""
Resources:
DevDataUser:
Type: "AWS::IAM::Role"
Properties:
RoleName: "DevDataUser"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "sts:AssumeRole"
Principal:
AWS: "XXXXXXXXXX"
Condition:
Bool:
aws:MultiFactorAuthPresent: "true"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
- arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess
- arn:aws:iam::aws:policy/AmazonRedshiftReadOnlyAccess
- arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccessActual behaviour
Got CFN like this:
AWSTemplateFormatVersion: "2010-09-09"
Metadata:
Generator: "console-recorder"
Description: ""
Resources:
iamdea1b3b:
Type: "AWS::IAM::Role"
Properties:
RoleName: "DevDataUser"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "sts:AssumeRole"
Principal:
AWS: "XXXXXXXXXX"
Condition:
Bool:
aws:MultiFactorAuthPresent: "true"Additional context
Interestingly, the SDK code all use the AttachRolePolicy method after creating the role. I did not test them but they look good. I suppose this is a nuance of Cloudformation that i imagine is a little harder to capture than with the REST APIs
