(aws-iam): grantAssumeRole does nothing

[dkaksl]

Describe the bug

Role.grantAssumeRole() does not make any difference in the generated policy.

Expected Behavior

grantAssumeRole should grant the given princial permission to assume the role.

Current Behavior

No-op.

Reproduction Steps

const role = new Role(this, 'role', {
  assumedBy: new AccountPrincipal(this.account)
})
role.grantAssumeRole(new AccountPrincipal('123456789')) // no-op

Possible Solution

No response

Additional Information/Context

Workaround:

const role = new Role(this, 'role', {
  assumedBy: new AccountPrincipal(this.account)
})

//role.grantAssumeRole(new AccountPrincipal('123456789'))

role.assumeRolePolicy?.addStatements(
  new PolicyStatement({
    effect: Effect.ALLOW,
    actions: ['sts:AssumeRole'],
    principals: [new AccountPrincipal('123456789')]
  })
)

CDK CLI Version

2.67.0

Framework Version

No response

Node.js Version

v18.14.2

OS

Ubuntu

Language

Typescript

Language Version

No response

Other information

No response

[pahud]

Hi

You will need to use assumeRolePolicy instead:

  const role = new iam.Role(this, 'role', {
    assumedBy: new iam.AccountPrincipal(this.account),
  })

  role.assumeRolePolicy?.addStatements(new iam.PolicyStatement({
    actions: ['sts:AssumeRole'],
    principals: [new iam.AccountPrincipal('123456789')],
  }))

related to #22550 (comment)

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[begna112]

What is the purpose of role.grantAssumeRole if it does not actually add the AssumeRole statements for you?

When trying to use this workaround, it can end up trying to create cyclical references. In particular when trying to add RolePrincipals or RoleArns, such as for a specific lambda.

[IllarionovDimitri]

have the same problem. spent hours to figure out why grant_assume_role(identity) does nothing. how should one actually find out this workaround to add statement to the role policy... no idea...

imho this workaround (if it is one) should be at least mentioned in the docs.

although it works, there is a "add_statements" is not a known member of "None" message

[lukepafford]

Would like to comment that I just encountered this issue too and it's a bit bewildering. I'm totally fine using role.assumeRolePolicy?.addStatements to modify the roles trust policy.

Just make it clear that you shouldn't use grantAssumeRole in the docs.

To make the problem obvious, here is a minimum example to reproduce the bug:

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import {
  AccountPrincipal,
  AccountRootPrincipal,
  Effect,
  PolicyStatement,
  Role,
} from "aws-cdk-lib/aws-iam";

export class IamTestStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const accountsToAllowAssumedBy = ["000000000000"]; // Replace with real account

    const role = new Role(this, "Role", {
      assumedBy: new AccountRootPrincipal(),
      roleName: "AssumeRoleTest",
    });

    // THIS DOES NOT WORK
    // accountsToAllowAssumedBy.forEach((account) => {
    //   role.grantAssumeRole(new AccountPrincipal(account));
    // });

    // THIS DOES WORK
    role.assumeRolePolicy?.addStatements(
      new PolicyStatement({
        actions: ["sts:AssumeRole"],
        effect: Effect.ALLOW,
        principals: accountsToAllowAssumedBy.map(
          (account) => new AccountPrincipal(account)
        ),
      })
    );
  }
}