iam: cannot pass iam.ManagedPolicy or iam.Policy to lambda.Function.grantInvoke

[Tietew]

Describe the bug

Following code fails:

const func = new lambda.Function(this, 'Function', { /* ... */ });
const managedPolicy = new iam.ManagedPolicy(this, 'ManagedPolicy');
func.grantInvoke(managedPolicy);

The error message is:

Cannot use a ManagedPolicy 'MyStack/Function' as the 'Principal' or 'NotPrincipal' in an IAM Policy

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

Grant lambda:InvokeFunction to ManagedPolicy or Policy.

Current Behavior

grantInvoke() throws an error described above.

Reproduction Steps

See the description above.

Possible Solution

grantInvoke() calls grantee.grantPrincipal.policyFragment.conditions to create a dedupe hash.

aws-cdk/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts

Lines 435 to 442 in 2b2443d

	public grantInvoke(grantee: iam.IGrantable): iam.Grant {
	const hash = createHash('sha256')
	.update(JSON.stringify({
	principal: grantee.grantPrincipal.toString(),
	conditions: grantee.grantPrincipal.policyFragment.conditions,
	}), 'utf8')
	.digest('base64');
	const identifier = `Invoke${hash}`;

But policyFragment getter of ManagedPolicy and Policy throws an error. (see #22712)
It should return a dummy policy fragment like Group.

aws-cdk/packages/aws-cdk-lib/aws-iam/lib/group.ts

Lines 82 to 84 in 2b2443d

	public get policyFragment(): PrincipalPolicyFragment {
	return new ArnPrincipal(this.groupArn).policyFragment;
	}

Group is blocked in PolicyStatement

aws-cdk/packages/aws-cdk-lib/aws-iam/lib/policy-statement.ts

Lines 240 to 244 in 2b2443d

	private validatePolicyPrincipal(principal: IPrincipal) {
	if (principal instanceof Group) {
	throw new Error('Cannot use an IAM Group as the \'Principal\' or \'NotPrincipal\' in an IAM Policy');
	}
	}

Additional Information/Context

No response

CDK CLI Version

2.176.0

Framework Version

2.176.0

Node.js Version

22.13.0

OS

Ubuntu

Language

TypeScript

Language Version

No response

Other information

Related to #32795

[pahud]

We generally func.grantInvoke() on principals, not managed policies.
See Resource-based Policies.

What is your intention and use case?

[Tietew]

@pahud grantInvoke() adds only identity-based policies when the grantee is Role/User/Group in same account. ManagedPolicy and Policy should be allowed in same way of Group.
ManagedPolicy implements IGrantable in my PR #22712

Currently works:

const group = new iam.Group(this, 'MyAppGroup', { users: [...] });
// users in the group can invoke someFunction
someFunction.grantInvoke(group);

I want this:

const policy = new iam.ManagedPolicy(this, 'MyAppPolicy', { roles: [...], users: [...] });
// users and roles with the policy attached can invoke someFunction
someFunction.grantInvoke(policy);

Does not work (expected):

const importedPolicy = iam.ManagedPolicy.fromManagedPolicyArn(this, 'ImportedPolicy', ...);
// INVALID - cannot add an identity-based policy to an imported ManagedPolicy
someFunction.grantInvoke(importedPolicy);

const policy = new iam.ManagedPolicy(this, 'MyAppPolicy', {...});
// INVALID - cannot add a resource-based policy from a ManagedPolicy
crossAccountFunction.grantInvoke(policy);

[aelgn]

This would be a very nice feature.
Use case:
We currently use ManagedPolicies that is linked by name to Permission Sets in AWS Identity Center to manage authorization over multiple accounts. This means we cannot use account local groups / roles in cdk since Identity Center provisions its own SSOReservedRole for the permission set in target accounts.

[Kasra-G]

Is there any blocker for implementation of this change? The associated PR being prioritized and merged would resolve inconsistencies with lambda's grantInvoke() compared to how other resources handle a Policy as the grantee.

Though, I think the fix would be cleaner if there was a way for the policies to know what principals they are attached to when permissions are granted (and use them for the policy fragment) but that seems like a larger change.