IAM Group Examples in AWS CDK - Complete Guide

# Table of Contents

1. IAM Group Examples in AWS CDK
2. Attaching Policies to a Group in AWS CDK
3. Adding a User to a Group in AWS CDK
4. Importing an existing IAM Group in AWS CDK

# IAM Group Examples in AWS CDK

An IAM Group is a collection of users. Groups enable us to reuse common permissions by attaching permissions on the group, rather than on each individual user.

In order to create groups in AWS CDK, we have to instantiate the Group class.

Let's start by creating a simple IAM group with a managed policy:

Copied!
import * as iam from 'aws-cdk-lib/aws-iam';
import * as cdk from 'aws-cdk-lib';

export class CdkStarterStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // 👇 create an IAM group
    const group = new iam.Group(this, 'group-id', {
      managedPolicies: [
        iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEC2ReadOnlyAccess'),
      ],
    });

    console.log('group name 👉', group.groupName);
    console.log('group arn 👉', group.groupArn);
  }
}

We instantiated the Group class. The constructor method of the class takes 3 parameters:

• groupName - a name for the group. We didn't specify one in the example, because by default CDK will generate a unique group name for us.
• managedPolicies - a list of managed policies to associate with the group. We used an AWS-managed policy that grants EC2 read permissions.
• path - the path to the group - defaults to /.

The values for the groupName and groupArn are tokens at synthesis time, so we can't use them in conditionals:

Tokens are encoded values that get resolved at deployment time by CloudFormation.

Let's run the deploy command:

Copied!
npx aws-cdk deploy

If we look at the group in the IAM console, we can see that the managed policy has been attached to it:

# Attaching Policies to a Group in AWS CDK

We can attach a policy to a Group in CDK, by using the following methods:

• addManagedPolicy - attaches a managed policy to the group
• addToPolicy - attaches a policy to the group
• attachInlinePolicy - attaches an inline policy to the group

Let's look at an example of all 3 methods:

Copied!
import * as iam from 'aws-cdk-lib/aws-iam';
import * as cdk from 'aws-cdk-lib';

export class CdkStarterStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // ... rest

      // 👇 attach a managed policy to the group
    group.addManagedPolicy(
      iam.ManagedPolicy.fromAwsManagedPolicyName(
        'service-role/AWSLambdaBasicExecutionRole',
      ),
    );

    // 👇 add an inline policy to the group
    group.addToPolicy(
      new iam.PolicyStatement({
        actions: ['logs:CreateLogGroup', 'logs:CreateLogStream'],
        resources: ['*'],
      }),
    );

    // 👇 attach an inline policy on the group
    group.attachInlinePolicy(
      new iam.Policy(this, 'cw-logs', {
        statements: [
          new iam.PolicyStatement({
            effect: iam.Effect.DENY,
            actions: ['logs:PutLogEvents'],
            resources: ['*'],
          }),
        ],
      }),
    );
  }
}

We used the addManagedPolicy, addToPolicy and attachInlinePolicy methods on an instance of the Group class.

• addManagedPolicy - takes a single parameter - an IAM-managed policy

• addToPolicy - takes a PolicyStatement instance as a parameter

• attachInlinePolicy takes a Policy instance as a parameter

Let's issue the deploy command:

Copied!
npx aws-cdk deploy

If we take a look at the group in the IAM console, we can see that it now has 4 permission policies attached:

# Adding a User to a Group in AWS CDK

In order to add a user to a group in AWS CDK, we have to use the addUser method on an instance of the Group class.

Copied!
import * as iam from 'aws-cdk-lib/aws-iam';
import * as cdk from 'aws-cdk-lib';

export class CdkStarterStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // ... rest

    // 👇 create IAM User
    const user = new iam.User(this, 'user-id');

    // 👇 add the User to the group
    group.addUser(user);
  }
}

We created an IAM user and added it to a group.

Let's deploy the changes:

Copied!
npx aws-cdk deploy

If we look at the Users section of our group, we can see that the user we created has been added:

# Importing an existing IAM Group in AWS CDK

In order to import an external IAM Group in an AWS CDK stack, we have to use the fromGroupArn static method on the Group class.

Copied!
import * as cdk from 'aws-cdk-lib';
import * as iam from 'aws-cdk-lib/aws-iam';

export class CdkStarterStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // 👇 import existing Group
    const importedGroup = iam.Group.fromGroupArn(
      this,
      'existing-group-id',
      `arn:aws:iam::${cdk.Stack.of(this).account}:group/YOUR_GROUP_NAME`,
    );

    console.log('imported group name 👉', importedGroup.groupName);
    console.log('imported group arn 👉', importedGroup.groupArn);
  }
}

We used the fromGroupArn static method on the Group class to import an external group. The method takes 3 parameters:

1. scope - the scope of the construct
2. id - an identifier for the construct (must be unique within the scope)
3. groupArn - the ARN of the group we want to import

# Further Reading

• IAM Principal Examples in AWS CDK - Complete Guide
• AWS CDK IAM Condition Example - Complete Guide
• AWS CDK Managed Policy Example - Complete Guide
• AWS CDK IAM Policy Example - Complete Guide
• AWS CDK IAM Role Example - Complete Guide
• How to use Context in AWS CDK
• How to use Parameters in AWS CDK