Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_iam: CfnServiceLinkedRole not adding policy to role #1800

Open
cjhelloletsgo opened this issue Sep 20, 2023 · 0 comments
Open

aws_iam: CfnServiceLinkedRole not adding policy to role #1800

cjhelloletsgo opened this issue Sep 20, 2023 · 0 comments
Labels
bug

Comments

@cjhelloletsgo
Copy link

Name of the resource

AWS::IAM::ServiceLinkedRole

Resource Name

No response

Issue Description

I made an issue #27203 in the aws-cdk github repo but they told me this was a more appropriate place to report.

When creating a lexv2 bot with a built-in intent type of AMAZON.KendraSearchIntent a policy with permissions to query Kendra should be generated but it isn't. The policy is automatically generated and attached to the service linked role in the AWS console but it is not added if the bot is created though the cdk (and therefore cloudformation).

In the CfnServiceLinkedRole docs it says:
To attach a policy to this service-linked role, you must make the request using the AWS service that depends on this role.

Lex doesn't have any provisions for modifying service linked roles that I see, it says in the service linked role docs for lex that if a bot is configured to use the KendraSearchIntent intent then the service linked role should allow the actions for the specified resource.

Link to CfnServiceLinkedRole docs: https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_iam/CfnServiceLinkedRole.html

Link to LexV2 Service linked role docs: https://docs.aws.amazon.com/lexv2/latest/dg/using-service-linked-roles.html

Relevant cdk code snippet:

lex_role = iam.CfnServiceLinkedRole(
            self,
            "Lex Role",
            aws_service_name="lexv2.amazonaws.com",
            description="Service Linked Role for Lex Bots deployed by cdk stack",
            custom_suffix="test",
        )

menu_bot = lex.CfnBot(
    self,
    "Menu Bot",
    data_privacy={"ChildDirected": False},
    idle_session_ttl_in_seconds=60,
    name="MenuBot",
    role_arn=f"arn:aws:iam::{account}:role/aws-service-role/lexv2.amazonaws.com/{lex_role.attr_role_name}",
    bot_locales=[
        lex.CfnBot.BotLocaleProperty(
            locale_id="en_US",
            description="Locale for Kendra",
            nlu_confidence_threshold=0.90,
            intents=[
                lex.CfnBot.IntentProperty(
                    name="RequiredIntent",
                    description="Intent required for bot to build",
                    sample_utterances=[
                        lex.CfnBot.SampleUtteranceProperty(
                            utterance="Do not use this ever"
                        )
                    ],
                ),
                lex.CfnBot.IntentProperty(
                    name="KendraSearchIntent",
                    description="Intent to ask a question. This intent searches a Kendra index for an answer to the question.",
                    kendra_configuration=lex.CfnBot.KendraConfigurationProperty(
                        kendra_index=kendra_index.attr_arn,
                    ),
                    parent_intent_signature="AMAZON.KendraSearchIntent",
                    fulfillment_code_hook=lex.CfnBot.FulfillmentCodeHookSettingProperty(
                        enabled=False,
                        is_active=True,
                        post_fulfillment_status_specification=lex.CfnBot.PostFulfillmentStatusSpecificationProperty(
                            success_response=lex.CfnBot.ResponseSpecificationProperty(
                                allow_interrupt=True,
                                message_groups_list=[
                                    lex.CfnBot.MessageGroupProperty(
                                        message=lex.CfnBot.MessageProperty(
                                            plain_text_message=lex.CfnBot.PlainTextMessageProperty(
                                                value="I found a link to a document that could help you: ((x-amz-lex:kendra-search-response-document-link-1"
                                            )
                                        ),
                                    )
                                ],
                            )
                        ),
                    ),
                ),
                lex.CfnBot.IntentProperty(
                    name="FallbackIntent",
                    description="Default intent when no other intent matches",
                    parent_intent_signature="AMAZON.FallbackIntent",
                ),
            ],
        )
    ],
    auto_build_bot_locales=True,
    description="Draft Version",
    bot_tags=[env_tag, project_tag],
)

Expected Behavior

A policy allowing access to Kendra from Lex should be generated so lex can use the built-in AMAZON.KendraSearchIntent intent.

Observed Behavior

The policy is not generated, access is blocked
image

Test Cases

Create Lex bot with AMAZON.KendraSearchIntent, test the bot and it should have permissions to access Kendra.

Other Details

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
coverage-roadmap
Status: Researching
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cjhelloletsgo