Fix AWS CDK Policy ARN Does not Exist or is Not Attachable

avatar

Borislav Hadzhiev

Mon Apr 26 20212 min read

banner

Photo by Noah Silliman

In order to fix the Policy ARN does not exist error - we have to add the necessary prefix to name of the managed policy.

Fix the AWS CDK Error - Policy ARN Does not Exist #

The most common reason we get the "Policy ARN does not exist or is not attachable" error in AWS CDK is, because we've tried to use the fromAwsManagedPolicyName method, but we have not provided the necessary prefix for the managed policy name.

For example, the following code gets the error:

// ๐Ÿ‘‡ Without necessary Prefix
const managedPolicy = iam.ManagedPolicy.fromAwsManagedPolicyName(
  'AWSLambdaBasicExecutionRole',
);

policy does not exist error

The solution is to include the prefix of the managed policy:

// ๐Ÿ‘‡ WITH necessary Prefix
const managedPolicy = iam.ManagedPolicy.fromAwsManagedPolicyName(
  'service-role/AWSLambdaBasicExecutionRole',
);

Some managed policies have a prefix of service-role/, others of job-function/ and others don't have a prefix at all. If the managed policy we are importing has a prefix we have to include it in the policy name.

The easiest way to see if the managed policy has a prefix is to look at the ARN of the policy, for example:

managed policy arn

In the screenshot we can see that the policy has a prefix of service-role/, which we have to include in the call to fromAwsManagedPolicyName.

After we prefix the name of the managed policy the "Policy ARN does not exist or is not attachable" error is fixed.

Further Reading #

Join my newsletter

I'll send you 1 email a week with links to all of the articles I've written that week

Buy Me A Coffee