(aws-iam): (stack tags are not set for awsiam.CfnManagedPolicy)

[kylos101]

Describe the bug

Stack tags are not added to IAM policies, they are added to roles.

I add them to my stack like so:

for tag, value := range cfg.Tags {
  awscdk.Tags_Of(stack).Add(jsii.String(tag), jsii.String(value), &awscdk.TagProps{
	  ApplyToLaunchedInstances: jsii.Bool(true),
  })
}

As a workaround, I tried explicitly adding them to policies like so, but, to no avail:

for _, policy := range policies {
  for tag, value := range cfg.Tags {
	  awscdk.Tags_Of(policy).Add(jsii.String(tag), jsii.String(value), &awscdk.TagProps{
		  ApplyToLaunchedInstances: jsii.Bool(true),
	  })
  }
}

It seems like it may potentially be a gap or limit, I do not see tags available here (although Tags can be set in the AWS console for Policies).

Expected Behavior

Stack tags are applied to managed policies

Current Behavior

Stack tags are not applied to managed policies

Reproduction Steps

See above sample code

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.147.3 (build 32f0fdb)

Framework Version

No response

Node.js Version

v20.8.0

OS

Ubuntu 22.04.4 LTS

Language

Go

Language Version

1.22

Other information

I'm using these lib versions:

github.com/aws/aws-cdk-go/awscdk/v2 v2.129.0
github.com/aws/aws-sdk-go v1.48.1
github.com/aws/aws-sdk-go-v2 v1.23.1

[ashishdhingra]

@kylos101 Good afternoon. Per CloudFormation guide, AWS::IAM::Policy and AWS::IAM::ManagedPolicy resources do not support Tags property (as opposed to AWS::IAM::Role). I'm unable to see any UI in AWS Console which allows to associate tags with an IAM Policy. Could you please point to documentation/resource which specifies associating tags with an IAM Managed Policy?

Thanks,
Ashish

[kylos101]

Hi @ashishdhingra , thank you so much for the prompt reply!

In the AWS Console, I see a field for tags like so:

This is infact the policy we created with CloudFormation and CfnManagedPolicy.

And I can add tags here:

[ashishdhingra]

This appears to be limitation of CloudFormation. The IAM policy schema at https://github.com/cdklabs/awscdk-service-spec/tree/main/sources/CloudFormationSchema/us-east-1 also doesn't appear to support Tags property and has taggable flag(s) set to false.

I would open ticket with CloudFormation team for their inputs.

[ashishdhingra]

Internal ticket created for CloudFormation team: P145169283

[ashishdhingra]

@kylos101 Got an update from CloudFormation team:

This is a known limitation of the AWS::IAM::ManagedPolicy resource (The AWS::IAM::Policy resource creates an inline policy for a IAM role/user and is not able to be tagged). There is an ongoing GitHub issue to bring tagging support to this resource to CloudFormation. CDK functionality is limited to what CloudFormation may do, so there is no native CDK solution to work around this issue.

You may potentially use the AwsCustomResource construct to run the TagPolicy API on your IAM policy to work around this.

We could keep this issue open until CloudFormation support is added, after which it would be automatically pushed to CDK L1 construct.

[robertd]

You may potentially use the AwsCustomResource construct to run the TagPolicy API on your IAM policy to work around this.

Ah... I love the "just monkey-patch it" response from the CFN team 🤣