Borislav Hadzhiev
Thu Apr 14 2022·2 min read
Photo by Noah Silliman
Updated - Thu Apr 14 2022
The most common reason we get the "Policy ARN does not exist or is not
attachable" error in AWS CDK is because we've tried to use the
fromAwsManagedPolicyName
method but we have not provided the necessary prefix
for the managed policy name.
For example, the following code gets the error:
// 👇 Without necessary Prefix const managedPolicy = iam.ManagedPolicy.fromAwsManagedPolicyName( 'AWSLambdaBasicExecutionRole', );
The solution is to include the prefix of the managed policy:
// 👇 WITH necessary Prefix const managedPolicy = iam.ManagedPolicy.fromAwsManagedPolicyName( 'service-role/AWSLambdaBasicExecutionRole', );
Some managed policies have a prefix of service-role/
, others of
job-function/
and others don't have a prefix at all. If the managed policy we
are importing has a prefix we have to include it in the policy name.
The easiest way to see if the managed policy has a prefix is to look at the ARN of the policy, for example:
In the screenshot, we can see that the policy has a prefix of service-role/
,
which we have to include in the call to fromAwsManagedPolicyName
.
After we prefix the name of the managed policy the "Policy ARN does not exist or is not attachable" error is fixed.