What is the problem?

The grantManagementApiAccess function on the WebSocketApi (or WebSocketStage), creates the following iAM permission:
arn:aws:execute-api:us-east-1:account-id:api-id/stage-name/POST/@connections/*.

This denies the iAM user "DELETE" permissions on the WebSocketApi. Example iAM denied error:

User: arn:aws:sts::****:assumed-role/***/*** is not authorized to perform: execute-api:ManageConnections on resource: arn:aws:execute-api:us-east-1:****:****/stage/DELETE/@connections/{connectionId}"

I believe the naming of the grantManagementApiAccess function implies that DELETE should be allowed. If not, perhaps there should another iAM granting method to prevent from the user from having to write a custom iAM policy.

Reproduction Steps

const lambdaGraphQLFunction = aws_lambda.Function
const webSocketApi = new WebSocketApi();

webSocketStage.grantManagementApiAccess(lambdaGraphQLFunction)

    {
      "Effect": "Allow",
      "Action": [
        "execute-api:ManageConnections"           
      ],
      "Resource": [
        "arn:aws:execute-api:us-east-1:account-id:api-id/stage-name/POST/@connections/*"
      ]
    }

What did you expect to happen?

I expected grantManagementApiAccess to grant the "DELETE" permission for the WebSocketApi.

What actually happened?

The grantManagementApiAccess function only granted the "POST" operation.

CDK CLI Version

2.1.0

Framework Version

2.3.0-alpha.0

Node.js Version

14

OS

MacOS

Language

Typescript

Language Version

No response

Other information

No response