Mon Apr 26 2021·2 min read
Photo by Noah Silliman
The most common reason we get the "Policy ARN does not exist or is not
attachable" error in AWS CDK is, because we've tried to use the
fromAwsManagedPolicyName method, but we have not provided the necessary prefix
for the managed policy name.
For example, the following code gets the error:
// 👇 Without necessary Prefix const managedPolicy = iam.ManagedPolicy.fromAwsManagedPolicyName( 'AWSLambdaBasicExecutionRole', );
The solution is to include the prefix of the managed policy:
// 👇 WITH necessary Prefix const managedPolicy = iam.ManagedPolicy.fromAwsManagedPolicyName( 'service-role/AWSLambdaBasicExecutionRole', );
Some managed policies have a prefix of
service-role/, others of
job-function/ and others don't have a prefix at all. If the managed policy we
are importing has a prefix we have to include it in the policy name.
The easiest way to see if the managed policy has a prefix is to look at the ARN of the policy, for example:
In the screenshot we can see that the policy has a prefix of
which we have to include in the call to
After we prefix the name of the managed policy the "Policy ARN does not exist or is not attachable" error is fixed.
I'll send you 1 email a week with links to all of the articles I've written that week