{"id":7951,"library":"aws-cdk-aws-iam","title":"AWS CDK AWS IAM Construct Library (v1)","description":"The `aws-cdk-aws-iam` package provides a set of AWS Cloud Development Kit (CDK) constructs for defining and managing AWS Identity and Access Management (IAM) resources in Python. It simplifies the process of creating IAM roles, users, groups, and policies, and assigning granular permissions to other AWS resources. This particular version, 1.204.0, belongs to AWS CDK v1, which reached End-of-Support on June 1, 2023. While still functional, it no longer receives updates, patches, or technical support. AWS CDK (v2) generally follows a weekly release cadence for new features and bug fixes, with critical maintenance releases as needed.","status":"deprecated","version":"1.204.0","language":"en","source_language":"en","source_url":"https://github.com/aws/aws-cdk.git","tags":["aws","cdk","iam","infrastructure-as-code","iac","cloudformation","security","deprecated"],"install":[{"cmd":"pip install aws-cdk.aws-iam==1.204.0","lang":"bash","label":"Install specific v1 version"},{"cmd":"npm install -g aws-cdk","lang":"bash","label":"Install AWS CDK CLI (prerequisite for Python CDK)"}],"dependencies":[{"reason":"Core CDK library (implicit for v1 constructs)","package":"aws-cdk.core"},{"reason":"Required for the AWS CDK CLI, which synthesizes CloudFormation templates.","package":"nodejs","optional":false},{"reason":"Required for AWS authentication and interactions during deployment.","package":"awscli","optional":false},{"reason":"Runtime for the Python CDK application.","package":"python","optional":false}],"imports":[{"note":"Standard alias for the IAM construct library in AWS CDK v1.","wrong":"import aws_cdk.aws_iam","symbol":"aws_iam","correct":"from aws_cdk import aws_iam as iam"},{"note":"Specific constructs for defining IAM roles and policies.","symbol":"Role","correct":"from aws_cdk.aws_iam import Role, ServicePrincipal, PolicyStatement"}],"quickstart":{"code":"import os\nfrom aws_cdk import (\n    Stack,\n    App,\n    aws_iam as iam\n)\n\nclass MyIamStack(Stack):\n    def __init__(self, scope: App, id: str, **kwargs) -> None:\n        super().__init__(scope, id, **kwargs)\n\n        # Define an IAM Role for a Lambda function\n        lambda_role = iam.Role(\n            self,\n            \"MyLambdaRole\",\n            assumed_by=iam.ServicePrincipal(\"lambda.amazonaws.com\")\n        )\n\n        # Add a policy statement to grant S3 read access\n        lambda_role.add_to_policy(\n            iam.PolicyStatement(\n                actions=[\"s3:GetObject\", \"s3:ListBucket\"],\n                resources=[\"arn:aws:s3:::my-bucket/*\", \"arn:aws:s3:::my-bucket\"]\n            )\n        )\n\n        # Define an IAM User\n        my_user = iam.User(self, \"MyCdkUser\")\n\n        # Attach an AWS managed policy to a user\n        my_user.add_managed_policy(\n            iam.ManagedPolicy.from_aws_managed_policy_name(\"ReadOnlyAccess\")\n        )\n\napp = App()\nMyIamStack(app, \"MyIamStack\",\n           env={'account': os.environ.get('CDK_DEFAULT_ACCOUNT', os.environ.get('AWS_ACCOUNT_ID', '')),\n                'region': os.environ.get('CDK_DEFAULT_REGION', os.environ.get('AWS_REGION', ''))})\napp.synth()","lang":"python","description":"This quickstart demonstrates how to define an IAM role for a Lambda function with specific S3 read permissions and how to create an IAM user and attach an AWS managed policy. This code should be placed within an AWS CDK application structure (e.g., `app.py` or a stack file) and assumes you have the AWS CDK CLI and credentials configured. Remember to replace 'my-bucket' with an actual S3 bucket name or dynamic reference. Ensure `CDK_DEFAULT_ACCOUNT` and `CDK_DEFAULT_REGION` environment variables are set for non-environment-agnostic deployments."},"warnings":[{"fix":"Migrate your CDK application to AWS CDK v2. This involves updating dependencies to `aws-cdk-lib`, adjusting import statements, and re-bootstrapping your AWS environments with the modern CDK v2 bootstrap stack. Refer to the official AWS CDK v2 migration guide.","message":"AWS CDK v1, including `aws-cdk-aws-iam` version 1.204.0, reached End-of-Support on June 1, 2023. It no longer receives maintenance, updates, patches, or technical support. Continuing to use v1 exposes your infrastructure to potential security vulnerabilities and unaddressed bugs. Migration to AWS CDK v2 is strongly recommended.","severity":"breaking","affected_versions":"1.x.x (all versions)"},{"fix":"Update your import statements. For example, `from aws_cdk import aws_iam as iam` becomes `from aws_cdk_lib import aws_iam as iam` or `from aws_cdk import aws_iam as iam` if you configure your `cdk.json` with the appropriate feature flags or alias imports.","message":"Migrating from AWS CDK v1 to v2 requires significant changes to import statements. Individual construct libraries (like `aws_iam`) are consolidated under the `aws-cdk-lib` package in v2.","severity":"breaking","affected_versions":"1.x.x to 2.x.x"},{"fix":"Re-bootstrap your AWS accounts/regions with `cdk bootstrap`. Ensure your deployment roles have the necessary permissions for the new v2 bootstrap resources, which might include new S3 asset bucket names and ECR repository names.","message":"AWS CDK v2 requires environments to be bootstrapped with the modern bootstrap stack. The legacy v1 bootstrap stack is no longer supported. This can impact deployment permissions for assets.","severity":"breaking","affected_versions":"1.x.x to 2.x.x"},{"fix":"Always strive for the principle of least privilege. Define IAM policies with the minimum necessary actions and resources. Leverage `grant*` methods on resources (e.g., `bucket.grant_read(lambda_function)`) which often provision least-privilege roles automatically.","message":"Granting overly permissive IAM permissions (e.g., using `*` for actions or resources) violates the principle of least privilege, creating security vulnerabilities.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Avoid hardcoding explicit names for IAM resources. Allow CDK to generate logical IDs. If explicit naming is required, use dynamic references like `Fn::Join` with `AWS::Region` or `AWS::AccountId` to ensure uniqueness across environments.","message":"Hardcoding IAM resource names (e.g., policy names, role names) can lead to deployment failures and unrecoverable errors, especially when reusing templates across regions or refactoring.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-16T00:00:00.000Z","next_check":"2026-07-15T00:00:00.000Z","problems":[{"fix":"Explicitly define the `env` property for your stacks using environment variables (`os.environ.get('CDK_DEFAULT_ACCOUNT', '')`, `os.environ.get('CDK_DEFAULT_REGION', '')`) or by passing them directly. Ensure your AWS CLI credentials are correctly configured and accessible by the CDK application.","cause":"The CDK CLI or application cannot determine which AWS account and region to deploy to, often due to missing environment variables or explicit `env` properties on the stack. This is common when switching authentication methods (e.g., from IAM user to OIDC role).","error":"Unable to resolve AWS account for the stack. This usually happens when you don't specify 'env' for your stack. For example: new MyStack(app, 'MyStack', { env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION } });"},{"fix":"Ensure the IAM principal has sufficient permissions. For deployments involving assets, verify write access to the CDK Toolkit's asset S3 bucket. For full stack deployments, the CloudFormation execution role needs permissions to manage all resources defined in the stack. Consider re-bootstrapping your environment if using v2.","cause":"The IAM principal (user or role) attempting to deploy the CDK stack lacks the necessary permissions to create or modify AWS resources, particularly the S3 bucket used by CDK for asset staging or the CloudFormation execution role.","error":"AccessDeniedException: User: arn:aws:iam::123456789012:user/MyUser is not authorized to perform: s3:PutObject on resource: arn:aws:s3:::cdk-123456789012-assets-us-east-1/..."},{"fix":"Break down large CDK applications into smaller, modular stacks. For templates larger than 50KB, ensure your environment is bootstrapped, as CDK will upload the template to S3. Consider using higher-level constructs or patterns to reduce the number of underlying CloudFormation resources.","cause":"The synthesized CloudFormation template exceeds the maximum allowed size (50KB) or resource count (500 resources for most regions).","error":"The CloudFormation template contains too many resources. (Maximum: 500 resources)"},{"fix":"Avoid assigning explicit `resourceName` properties to constructs that might conflict with existing resources. Allow CDK to generate unique logical IDs. If you need to manage an existing resource, use `from_xxx_name` or `from_xxx_arn` methods to import it into your stack, or use `cdk import` functionality.","cause":"You are attempting to create an AWS resource with a fixed, explicit name that already exists in your AWS account, outside of or within another CloudFormation stack.","error":"The resource with name 'MyResource' already exists."}]}