aws-s3: grant*() methods with a managed policy for external buckets created with fromBucketAttributes() caused error

[toxygene]

Describe the bug

When I try to pass a managed policy to any of the grant*() methods of an external S3 bucket created using fromBucketAttributes(), I get the following error:

Error: Cannot use a ManagedPolicy 'MyStack/MyManagedPolicy' as the 'Principal' or 'NotPrincipal' in an IAM Policy

Expected Behavior

No error.

Current Behavior

The previously noted error.

Reproduction Steps

export class MyStack extends Stack {
  constructor(scope: Construct, id: string, props: StackProps = {}) {
    super(scope, id, props);

    const key = Key.fromKeyArn(
      this,
      'MyKey',
      Fn.importValue('MyKeyArn')
    );

    const bucket = Bucket.fromBucketAttributes(
      this,
      'MyBucket',
      {
        bucketArn: Fn.importValue('MyBucketArn'),
        encryptionKey: key
      }
    );

    const role = new Role(
      this,
      'MyRole',
      {
        assumedBy: new AccountRootPrincipal()
      }
    );

    const managedPolicy = new ManagedPolicy(
      this,
      'MyManagedPolicy',
      {
        roles: [role]
      }
    );

    bucket.grantReadWrite(managedPolicy);
  }
}

Possible Solution

No response

Additional Information/Context

I'm using fromBucketAttributes() because I want the grant*() methods to grant both the bucket and key permissions.

CDK CLI Version

2.142.0

Framework Version

No response

Node.js Version

20.10.0

OS

Sonoma 14.3.1

Language

TypeScript

Language Version

5.3.3

Other information

No response

[toxygene]

I've investigated this further and determined my report is incorrect.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[aimestereo]

cc: @toxygene

Ugh, I had this one, It's hard to debug because error message can be incorrect.
in my case the reason was me fogeting to use the same props when creating multiple stacks:

  const props = {
    env: {
      account: "123456789012",
      region: "us-east-1",
    },
  };

  // this stack just creates S3Bucket for other stacks to use it
  const s3Stack = new S3Stack(app, `test-S3Stack`, {
    ...props,
    bucketId: "IncomingDataBucket",
    bucketName: "example-bucket",
  });


  // in this stack I'm doing my things, but also I was adding managed policy to the provided bucket
  const stack = new AnotherStack(app, `test-AnotherServer`, {
    ...props,  // !!! that was missing !!!
    bucket: s3Stack.bucket,
  });

because of missing props {"env": ...} second stack was operating on bucket as if it was from another AWS account