-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[aws-iam] Create a ManagedPolicy from a Grant #10308
[aws-iam] Create a ManagedPolicy from a Grant #10308
Comments
That's a good idea. I wonder if it makes sense to make a |
(By the way you could probably implement this class today yourself. It could be in the upstream library but it doesn't have to be) |
Thanks. I was thinking about this as well, but then it occurred to me that many times setting the permissions only for the |
I actually just stumbled onto that again. Having methods like i.e.
that gives us correct policies or managed policies with correct statements. Perhaps having All in all, one can take
|
Fixes #10308 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https:/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https:/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https:/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
I'd like to create a
ManagedPolicy
with permissions to read a KMS-encrypted S3 bucket. To grant these permissions, theBucket
-construct has thegrantRead
-method that can apply the suitable permissions to the bucket- and key policies regarding the given principal, but creating aManagedPolicy
out of the resultingGrant
proved to be difficult.Use Case
Suppose AWS user accounts are managed manually through the console. It would ease the management of the permissions if the managed policies could be easily created with CDK.
Proposed Solution
Add a new principal:
ManagedPolicyPrincipal
. It would be a combination of a managed policy and somePrincipal
. The method would add the required permissions to all the policy documents: bucket policy, key policy and the managed policy. Here's a rough idea of the API:This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: