Fix AWS CDK Policy ARN Does not Exist or is Not Attachable

Fix the AWS CDK Error - Policy ARN Does not Exist #

The most common reason we get the "Policy ARN does not exist or is not attachable" error in AWS CDK is, because we've tried to use the fromAwsManagedPolicyName method, but we have not provided the necessary prefix for the managed policy name.

For example, the following code gets the error:

// 👇 Without necessary Prefix
const managedPolicy = iam.ManagedPolicy.fromAwsManagedPolicyName(
  'AWSLambdaBasicExecutionRole',
);

The solution is to include the prefix of the managed policy:

// 👇 WITH necessary Prefix
const managedPolicy = iam.ManagedPolicy.fromAwsManagedPolicyName(
  'service-role/AWSLambdaBasicExecutionRole',
);

Some managed policies have a prefix of service-role/, others of job-function/ and others don't have a prefix at all. If the managed policy we are importing has a prefix we have to include it in the policy name.

The easiest way to see if the managed policy has a prefix is to look at the ARN of the policy, for example:

In the screenshot we can see that the policy has a prefix of service-role/, which we have to include in the call to fromAwsManagedPolicyName.

After we prefix the name of the managed policy the "Policy ARN does not exist or is not attachable" error is fixed.

Further Reading #

• AWS CDK IAM Role Example - Complete Guide
• AWS CDK IAM Policy Example - Complete Guide
• AWS CDK Tutorial for Beginners - Step-by-Step Guide
• How to use Context in AWS CDK
• How to use Parameters in AWS CDK
• What is a Token in AWS CDK