aws iam: cannot modify trust relationship of imported role

[aradyaron]

Describe the feature

Currently there is no way to add a new role to a trust relationship to an imported role.
The solution suggested in the issue #22550 cannot work as there is no 'assume_role_policy' in an imported role, regardless of immutability.

As I am using the python cdk library, there are multiple levels of abstraction as well.

Use Case

I have a mediator role inside my Stack in my main region X, which will be assumed by a regional role that exists in all my regional stacks.
I want to import the main mediator role on the other stacks (using from_role_arn), and allow specifically to the regional stack role to assume, by adding only it to the mediator role trust policy.

Proposed Solution

Either:

• Add 'assume_role_policy' to the imported role,
  Or:
  Add a new function of add_trusted_assuming_role in order to allow to dynamically add to trusted policy. this is also what the issue aws-iam: Make setting trust on roles more clear in overview and function descriptions #22550 expected from 'grant_assume_role'

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

python aws-cdk-lib 2.54.0

Environment details (OS name and version, etc.)

Python

[peterwoodworth]

We cannot implement this because you cannot modify imported resources in CDK

Although you can use an external resource anywhere you'd use a similar resource defined in your AWS CDK app, you cannot modify it. For example, calling addToResourcePolicy (Python: add_to_resource_policy) on an external s3.Bucket does nothing.

To modify the trust policy on an imported role, CDK would need a way to modify that role, which it doesn't because the role is not defined in the application in which you are trying to modify the role. In other words, CDK would need a way to modify the CloudFormation template which has defined the role.

The way to work around this would be to use a custom resource to modify the policy. If you need any direction in that, let me know, and we can convert this issue to a discussion.

[aradyaron]

Thanks for the offer, I would like that. I think it would be beneficial to me as well as to others.
Please note that this however is still limited, as currently the aws api support only full replacement of the trust policy.
This means parallel deployment (for example different regions) can still cause an unwanted behavior of overriding.
Is it possible for a solution to cover this issue as well?

[peterwoodworth]

I'm unaware of any solutions that won't involve full replacement of the trust policy unfortunately, since that would be the only way that I'm aware of that CDK can change a role policy it doesn't control through CloudFormation 🙁

There may be a way to achieve this through a custom resource that you would need to write on your own. I'm thinking you could supply the statement you want to add to the custom resource. Then when the custom resource runs it will make the call to get the existing policy, do some logic to add the statement to the existing policy, then make the call to update that policy. This would still rely on fetching the existing trust policy however, which might not be guaranteed to be accurate during parallel deployments. I'm personally not sure of a way that this could be avoided