IAM Role / Trust-relationships -trustpolicy required for access-grants-s3 cannot be created with CDK

[ttais2017]

Describe the bug

Trying to create a trust-policy for a given role, like this:

cannot be created with CDK.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

CDK Version: 2.1002.0 (build 09ef5a0)

Expected Behavior

the trust-policy for a given role, will contain the given statements

Current Behavior

the trust-policy will not be included in the role.

Reproduction Steps

try this code:

    let servicePrincipal = new iam.ServicePrincipal('access-grants.s3.amazonaws.com');
    servicePrincipal.addToAssumeRolePolicy(trustPolicy);
    servicePrincipal.addToPolicy(new iam.PolicyStatement({
      sid: 'AccessGrantsTrustPolicy',
      effect: iam.Effect.ALLOW,
      principals: [new iam.ServicePrincipal('access-grants.s3.amazonaws.com')],
      actions: ['sts:AssumeRole', 'sts:SetSourceIdentity'],
      conditions: {
        StringEquals: {
          'aws:SourceAccount': '9xxx2',
          'aws:SourceArn': 'arn:aws:s3:eu-central-1:9xxx2:access-grants/default',
        },
      },
    }));

    this.context.properties.accessGrantsRole = new iam.Role(this, this.id4res('AccessGrantsRole'), {
      assumedBy: servicePrincipal,
      inlinePolicies: {
        'AccessGrantsPolicy': accessGrantsPolicy,
      },
    });

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

CDK Version: 2.1002.0 (build 09ef5a0)

Framework Version

No response

Node.js Version

Node.js v22.12.0

OS

Win11

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

Hi @ttais2017,

Thanks for reporting this issue! I've reviewed the code and identified the cause of the problem.

Issue Analysis

The issue is with how you're attempting to create the trust policy for your IAM role. The code pattern you're using doesn't match how trust policies are established in the CDK.

In your code:

let servicePrincipal = new iam.ServicePrincipal('access-grants.s3.amazonaws.com');
servicePrincipal.addToAssumeRolePolicy(trustPolicy);  // This method doesn't exist on ServicePrincipal
servicePrincipal.addToPolicy(new iam.PolicyStatement({...}));  // Also incorrect

The addToAssumeRolePolicy and addToPolicy methods are being called on the ServicePrincipal, but these methods don't exist on that class - this is why your trust policy isn't being generated correctly.

Solution

Here's the correct way to create a role with the trust policy you need for S3 Access Grants:

// Create a service principal with conditions
const servicePrincipal = new iam.ServicePrincipal('access-grants.s3.amazonaws.com', {
  conditions: {
    StringEquals: {
      'aws:SourceAccount': '9xxx2',
      'aws:SourceArn': 'arn:aws:s3:eu-central-1:9xxx2:access-grants/default',
    },
  }
});

// Create the role with the principal
const accessGrantsRole = new iam.Role(this, this.id4res('AccessGrantsRole'), {
  assumedBy: servicePrincipal,
  inlinePolicies: {
    'AccessGrantsPolicy': accessGrantsPolicy,
  },
});

If you specifically need to include sts:SetSourceIdentity in the trust policy, you can use this approach instead:

// Create a service principal
const servicePrincipal = new iam.ServicePrincipal('access-grants.s3.amazonaws.com');

// Create the role first
const accessGrantsRole = new iam.Role(this, this.id4res('AccessGrantsRole'), {
  assumedBy: servicePrincipal,
  inlinePolicies: {
    'AccessGrantsPolicy': accessGrantsPolicy,
  },
});

// Then customize the assume role policy
const statement = new iam.PolicyStatement({
  actions: ['sts:AssumeRole', 'sts:SetSourceIdentity'],
  principals: [servicePrincipal],
  conditions: {
    StringEquals: {
      'aws:SourceAccount': '9xxx2',
      'aws:SourceArn': 'arn:aws:s3:eu-central-1:9xxx2:access-grants/default',
    },
  },
});

// Add the statement to the assume role policy
accessGrantsRole.assumeRolePolicy?.addStatements(statement);

I hope this helps solve your issue! Let me know if you have any questions.

[ttais2017]

Dear Pahug,
Tnx a lot for your suggestions. Now my code works. I have to say, it was a bit tricky. ; )

sometimes it's hard to get such kind of policies, taking into account the IDE shows those methods also as possible:
let servicePrincipal = new iam.ServicePrincipal('access-grants.s3.amazonaws.com');
servicePrincipal.addToAssumeRolePolicy(trustPolicy); // This method doesn't exist on ServicePrincipal
servicePrincipal.addToPolicy(new iam.PolicyStatement({...})); // Also incorrect

which do not exist.

This ticket can be close!. TNX also for your time.