I try to create vault with additional policy
// Create an AWS Backup vault
const backupVault = new backup.BackupVault(this, this.backup_name + '-vault', {
backupVaultName: this.backup_name + '-vault',
blockRecoveryPointDeletion: true,
removalPolicy: RemovalPolicy.DESTROY,
});
backupVault.grant(new iam.AccountPrincipal('111222333444'),
'backup:CopyIntoBackupVault'
);
But vault is created without granted policy. CDK generate template like that:
"Resources": {
"mybackupvault67D998C2": {
"Type": "AWS::Backup::BackupVault",
"Properties": {
"AccessPolicy": {
"Statement": [
{
"Action": [
"backup:DeleteRecoveryPoint",
"backup:UpdateRecoveryPointLifecycle"
],
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"BackupVaultName": "my_backup-vault"
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "euc1-backup/my_backup-vault/Resource"
}
},
...
What can be a reason?
Instead of using backupVault.grant You should use addToAccessPolicy to add access policy to the backup vault. Please check and let me know