aws_iam: CfnServiceLinkedRole not adding policy to role

[cjhelloletsgo]

Describe the bug

When creating a lexv2 bot with a built-in intent type of AMAZON.KendraSearchIntent a policy with permissions to query Kendra should be generated but it isn't. The policy is automatically generated and attached to the service linked role in the AWS console but it is not added if the bot is create though the cdk.

Relevant code snippet:

lex_role = iam.CfnServiceLinkedRole(
            self,
            "Lex Role",
            aws_service_name="lexv2.amazonaws.com",
            description="Service Linked Role for Lex Bots deployed by cdk stack",
            custom_suffix="test",
        )

menu_bot = lex.CfnBot(
    self,
    "Menu Bot",
    data_privacy={"ChildDirected": False},
    idle_session_ttl_in_seconds=60,
    name="MenuBot",
    role_arn=f"arn:aws:iam::{account}:role/aws-service-role/lexv2.amazonaws.com/{lex_role.attr_role_name}",
    bot_locales=[
        lex.CfnBot.BotLocaleProperty(
            locale_id="en_US",
            description="Locale for Kendra",
            nlu_confidence_threshold=0.90,
            intents=[
                lex.CfnBot.IntentProperty(
                    name="RequiredIntent",
                    description="Intent required for bot to build",
                    sample_utterances=[
                        lex.CfnBot.SampleUtteranceProperty(
                            utterance="Do not use this ever"
                        )
                    ],
                ),
                lex.CfnBot.IntentProperty(
                    name="KendraSearchIntent",
                    description="Intent to ask a question. This intent searches a Kendra index for an answer to the question.",
                    kendra_configuration=lex.CfnBot.KendraConfigurationProperty(
                        kendra_index=kendra_index.attr_arn,
                    ),
                    parent_intent_signature="AMAZON.KendraSearchIntent",
                    fulfillment_code_hook=lex.CfnBot.FulfillmentCodeHookSettingProperty(
                        enabled=False,
                        is_active=True,
                        post_fulfillment_status_specification=lex.CfnBot.PostFulfillmentStatusSpecificationProperty(
                            success_response=lex.CfnBot.ResponseSpecificationProperty(
                                allow_interrupt=True,
                                message_groups_list=[
                                    lex.CfnBot.MessageGroupProperty(
                                        message=lex.CfnBot.MessageProperty(
                                            plain_text_message=lex.CfnBot.PlainTextMessageProperty(
                                                value="I found a link to a document that could help you: ((x-amz-lex:kendra-search-response-document-link-1"
                                            )
                                        ),
                                    )
                                ],
                            )
                        ),
                    ),
                ),
                lex.CfnBot.IntentProperty(
                    name="FallbackIntent",
                    description="Default intent when no other intent matches",
                    parent_intent_signature="AMAZON.FallbackIntent",
                ),
            ],
        )
    ],
    auto_build_bot_locales=True,
    description="Draft Version",
    bot_tags=[env_tag, project_tag],
)

Expected Behavior

A policy allowing access to Kendra from Lex should be generated so lex can use the built-in AMAZON.KendraSearchIntent intent.

Current Behavior

The policy is not generated, access is blocked

Reproduction Steps

Using the python cdk create a lex service linked role and a cfnbot which uses the role. Test the lex bot and access to Kendra will be denied.

Possible Solution

Update the lex service linked role with the correct permissions when a AMAZON.KendraSearchIntent intent is included in the bot.

Additional Information/Context

No response

CDK CLI Version

2.96.2 (build 3edd240)

Framework Version

No response

Node.js Version

v18.18.0

OS

Ubuntu 23.04

Language

Python

Language Version

Python 3.11.4

Other information

No response

[peterwoodworth]

CDK generates CloudFormation templates and deploys them to CloudFormation - since you're using an L1 resource (prefixed with Cfn), you're creating a resource that will appear in the template exactly as if you were using CloudFormation directly. That is to say - you'll need to specify this directly, or ask CloudFormation to handle this when creating this resource through CloudFormation.

[cjhelloletsgo]

Yes, that makes sense however in this case I don't think that is possible. In the CfnServiceLinkedRole docs it says:
To attach a policy to this service-linked role, you must make the request using the AWS service that depends on this role. Lex doesn't have any provisions for modifying service linked roles that I see, it says in the service linked role docs for lex that if a bot is configured to use the KendraSearchIntent intent then the service linked role should allow the actions for the specified resource.

Link to CfnServiceLinkedRole docs: https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_iam/CfnServiceLinkedRole.html

Link to LexV2 Service linked role docs: https://docs.aws.amazon.com/lexv2/latest/dg/using-service-linked-roles.html

[peterwoodworth]

You'll need to reach out to CloudFormation / Lex about this, all we're doing here on CDK's end is creating the template exactly as you've specified. If you have an existing service role in your account you can try using that instead of passing in a new one and see if that helps. Beyond that you should reach out to the CloudFormation repo I linked, and create a ticket in premium support if you have it

[cjhelloletsgo]

Ok, thank you for the assistance.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.