How to prevent generating default policies during IAM role creation in AWS CDK

[ischedrov]

Hi there!

I'm developing the App in AWS CDK which will create ESC scheduled task, event bridge rule and some IAM roles with inline policies. This resources are created in same stack. For better controlling I decided to describe clearly IAM roles and appropriate inline policies (pseudo code is down below).

//Role 1
    private ExecutionRole (): iam.Role {
        const RolePolicy = new iam.PolicyDocument ({
            statements:
                [
                    new iam.PolicyStatement({
                        resources: ['some:Actions*'],
                        actions: ['some:Actions'],
                        effect: iam.Effect.ALLOW
                    })
                ]
        });

        const execRole = new iam.Role(this, 'Execution-Role', {
            assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
            inlinePolicies: {RolePolicy}
        });

        return execRole;
    }
// Role 2
    private EventBridgeRole(): iam.Role {
        const RolePolicy = new iam.PolicyDocument({
            statements:
                [
                    new iam.PolicyStatement({
                        resources: ['some:Resources'],
                        actions: ['some:Actions'],
                        effect: iam.Effect.ALLOW,
                    })
                ],
        });

        const eventBridgeRole = new iam.Role(this, 'Event-Bridge-Role', {
            assumedBy: new iam.ServicePrincipal('events.amazonaws.com'),
            inlinePolicies: {RolePolicy},
        });

        return eventBridgeRole;
    }

This functions are used in another functions which create Task Definition and Event Bridge Target

// Task Definition
private FargateTaskDefinition(): ecs.FargateTaskDefinition {
        const taskDefName = 'blaBlaTaskDefinition'
        const taskRole = this.TaskRole();
        const taskExecRole = this.ExecutionRole();

        const taskDefinition = new ecs.FargateTaskDefinition(this, taskDefName, {
            cpu: 1024,
            family: taskDefName,
            memoryLimitMiB: 2048,
            taskRole: taskRole,
            executionRole: ExecutionRole
        });

        return taskDefinition;
    }

// Event Bridge Target
    private EventBridgeTarget(): eventTargets.EcsTask {
        const vpc = 'some-vpc-id';
        const cluster = 'ecs-cluster-id';
        const subnets = 'some-subnets';
        const taskDefinition = this.FargateTaskDefinition();
        const ebTargetRole = this.createEventBridgeTargetRole(cluster, taskDefinition);

        const ebTarget = new eventTargets.EcsTask({
            taskDefinition,
            cluster,
            role: ebTargetRole,
            platformVersion: ''platform-version,
            subnetSelection: { subnets },
        });

        return eventBridgeTarget;
    }

When I perform cdk deploy all resources are created but IAM roles contains additional autogenerated policy statement. It's true for both roles:

blaBlaBlaDefaultPolicyA513DFBF
blaBlaBlaRole

Is there any way to prevent creation this autogenerated (DefaultPolicyA513DFBF) policies? Also may be someone found a way how to provide names for this policies.

Appreciate for any advices. Thank you!

[indrora]

You could use Aspects to walk and modify the tree, but without seeing what the CDK is producing, it's hard to know what the policy is doing.

A lot of CDK constructs create a role and policy out of the gate simply to make sure that there are appropriate roles in place for that construct.

[peterwoodworth]

If you don't want CDK to add policy statements to a Role passed into any construct, you can pass in Role.withoutPolicyUpdates() when needed.

[ischedrov]

Thank you. I used this option year ago. Forgot to update this thread.

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.