Default policy are getting creating even when Managed policy were created in the Role

[nikhilbhoj]

In my organization, we need to use Manage Policy and not inline policy.
So ,instead of using policy created by CDK, I have to created custom Managed policy and attaching it to the role.
But what is happening is both types of policy are being created by CDK i.e.
Inline policy - By CDK
Managed Policy : created by me.
Since, we have a permission boundary policy in place my stack creation fails.

I create this Managed Policy as below:

const cdkCodebuildpolicy = new iam.ManagedPolicy(this, 'CDKBuildPolicy', { managedPolicyName: 'CDKBuildPolicyLog' });
  cdkCodebuildpolicy.addStatements(new iam.PolicyStatement({ effect: iam.Effect.ALLOW,resources:[cdklogGroupArn, cdklogGroupStarArn],
  actions: ['logs:CreateLogGroup','logs:CreateLogStream','logs:PutLogEvents'] }));

  cdkCodebuildpolicy.addStatements(new iam.PolicyStatement({ effect: iam.Effect.ALLOW,resources: [s3Buildarn, s3BuildStarArn],
  actions: ['s3:GetObject*','s3:GetBucket*','s3:List*','s3:DeleteObject*','s3:PutObject*','s3:Abort*']}));


  cdkCodebuildpolicy.addStatements(new iam.PolicyStatement({ effect: iam.Effect.ALLOW,resources: [ "*"], 
  actions: ['kms:Decrypt','kms:DescribeKey','kms:Encrypt','kms:ReEncrypt*','kms:GenerateDataKey*'] }));

constdeny = iam.ManagedPolicy.fromManagedPolicyName(this,'DENY','deny_policy');

   const amp_permissionBoundary = iam.ManagedPolicy.fromManagedPolicyName(this,'BOUNDARY','boundary_policy');

And then in my code build.PipelineProject , I create a custom role

const cdkBuild = new codebuild.PipelineProject(this, 'CdkBuild', {
      buildSpec: codebuild.BuildSpec.fromObject({
        version: '0.2',
        phases: {
          install: {
            commands:  [
						"npm install",
						"npm install -g cdk",
						"npm install -g typescript",
					]
          },
          build: {
            commands: [
              'ls -ltr',
              'npm run build',
              'npm run cdk synth -- -o dist'
            ],
          },
        },
        artifacts: {
          'base-directory': 'dist',
          files: [
            'LambdaStack.template.json',
          ],
        },
      }),
      environment: {
        buildImage: codebuild.LinuxBuildImage.UBUNTU_14_04_NODEJS_8_11_0,
      },
      role: new Role(this, 'cdkBuildRole', {assumedBy: new iam.ServicePrincipal('codebuild.amazonaws.com'),
      permissionsBoundary : permissionBoundary,
      managedPolicies: [deny,cdkCodebuildpolicy],
    }), 

    });

Reproduction Steps

It is creating this managed policy

   "CDKBuildPolicy804D7CE8": {
      "Type": "AWS::IAM::ManagedPolicy",
      "Properties": {
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
              ],
              "Effect": "Allow", 

And this inline default policy

   "cdkBuildRoleDefaultPolicy25CD29C1": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
              ],
              "Effect": "Allow",
              "Resource": [
                {
                  "Fn::Join": [

Error Log

My stack creation fails

Environment

• CLI Version : 1.8
• Framework Version: TypeScript
• OS : Ubuntu
• Language : TypeScript

---

This is 🐛 Bug Report

[skinny85]

Hey @nikhilbhoj ,

unfortunately, you're hitting this issue. The quick solution here, before we fix #2985, is to create a simple wrapper in your code:

class ImmutableRole implements iam.IRole {
    private readonly role: iam.IRole;

    constructor(role: iam.IRole) {
        this.role = role;
    }

    readonly assumeRoleAction = this.role.assumeRoleAction;
    readonly grantPrincipal = this.role.grantPrincipal;
    readonly node = this.role.node;
    readonly policyFragment = this.role.policyFragment;
    readonly roleArn = this.role.roleArn;
    readonly roleName = this.role.roleName;
    readonly stack = this.role.stack;

    addManagedPolicy(policy: iam.IManagedPolicy): void {
        // do nothing
    }

    addToPolicy(statement: iam.PolicyStatement): boolean {
        return false;
    }

    attachInlinePolicy(policy: iam.Policy): void {
        // do nothing
    }

    grant(grantee: iam.IPrincipal, ...actions: string[]): iam.Grant {
        return this.role.grant(grantee, ...actions);
    }

    grantPassRole(grantee: iam.IPrincipal): iam.Grant {
        return this.role.grantPassRole(grantee);
    }
}

and then pass this wrapper to the Role for the PipelineProject:

const projectRole = new iam.Role(this, 'cdkBuildRole', {
    assumedBy: new iam.ServicePrincipal('codebuild.amazonaws.com'),
});
const cdkBuild = new codebuild.PipelineProject(this, 'CdkBuild', {
    role: new ImmutableRole(projectRole),
    // ...
});

[nikhilbhoj]

Thanks @skinny85 for the quick help. I would be doing this in my code.

[rix0rrr]

I don't think we need to have 2 copies of this issue open. Closing as duplicate of #2985.