Policystatement is getting generated while adding SNS destination to Lambda

Question

I have a create-lambda stack and i am adding an existing SNS topic as the destination thru CDK + Python. While deploying the code i am getting an error The function's execution role does not have permissions to call Publish on arn:aws:sns:us-east-1:<accid><SNStopic>

Here is my lambda event invoke config code:

    cfn_event_invoke_config= _lambda.CfnEventInvokeConfig(
        self, "MyCfnEventInvokeConfig",
        function_name="lambda-gluetrigger",
        qualifier='$LATEST',
        destination_config=_lambda.CfnEventInvokeConfig.DestinationConfigProperty(
            on_success=_lambda.CfnEventInvokeConfig.OnSuccessProperty(
                destination=SNStopicARN
            )
        )
    )

Also, here is the code to add the IAM policy to the lambda execution role:

   lambda_exec_role.attach_inline_policy(_iam.Policy(
        self,
        "sns-publish-policy",
        document=_iam.PolicyDocument(
            assign_sids= True,
            statements=[
                _iam.PolicyStatement(
                    effect=_iam.Effect.ALLOW,
                    actions=[
                        "sns:*"
                    ],
                    resources=["*"]
                )
            ]
        )
    )
    )        

I tried granting access to SNSTopic's Arn in the resources, tried with sns:publish to sns:* but nothing has worked so far. I also can not use add_to_role_policy , since i don't have access to add anything additional to the role programmatically. Can somebody please help and tell me what am i missing?

Answer 1

I should have done this earlier,nevertheless, we were able to find a solution for this scenario. We work in an ALZ account where access to create IAM and Policy is very restricted. Hence, the solution to the above situation is to use mutable=false property while importing the role into a stack.