[iam.Role vs iam.CfnRole]

[scottbisker]

Is there a reason why iam.Role doesn't expose AssumeRolePolicyDocument and only allows for defining AssumedBy? Once the Role is established, the policy document is only additive. And you can't define a policy without an AssumedBy, and once it's created, you can only add to the existing policy and not replace. This greatly limits the ability to set the boundaries on a role without using into CfnRole.

[peterwoodworth]

We require some sort of trust policy on creation because CloudFormation deployment will fail if no AssumeRolePolicyDocument is provided. You can always override what the CDK sets through escape hatches without having to completely drop down to the L1 layer - if you have good reason for how providing this at time of Role creation can be detrimental, let us know what that is and we can look into adding a feature that will suit that use case