I'm trying to add a policy to my (static website) S3 bucket to let only the CloudFormation distribution accessing it, but during deployment I still get a MalformedPolicy error and cannot find where is the problem.
CloudFormation template essential parts
Resources:
BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
DependsOn:
- AppBucket
- CloudFrontDistribution
Properties:
Bucket: !Ref AppBucket
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
- Sid: PolicyForCloudFrontPrivateContent
Action: 's3:GetObject*'
Effect: Allow
Condition:
StringLike:
'aws:Referer':
- !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'
Resource:
- !Sub arn:aws:s3:::${AppBucket}
CloudFrontDistribution:
# ...
AppBucket:
# ...
Deployment error
(...)
CloudFormation events from stack operations (refresh every 0.5 seconds)
---------------------------------------------------------------------------------------------------------------------------------------------
ResourceStatus ResourceType LogicalResourceId ResourceStatusReason
---------------------------------------------------------------------------------------------------------------------------------------------
UPDATE_IN_PROGRESS AWS::S3::BucketPolicy BucketPolicy -
UPDATE_FAILED AWS::S3::BucketPolicy BucketPolicy Missing required field Principal
(Service: Amazon S3; Status Code:
400; Error Code: MalformedPolicy;
Request ID: DG2QHRDJQ2WS6JZV; S3
Extended Request ID: 6u+LYv77A4Ao
DmKmyB4Sfup+rueC1iGAQ82GdkfHimIZL
X/HXUPWj2FKSq7WCgi41F4XU6z6BOk=;
Proxy: null)
UPDATE_ROLLBACK_IN_PROGRESS AWS::CloudFormation::Stack test-app-hosting The following resource(s) failed
to update: [BucketPolicy].
UPDATE_COMPLETE AWS::S3::BucketPolicy BucketPolicy -
UPDATE_ROLLBACK_COMPLETE_CLEANUP_ AWS::CloudFormation::Stack test-app-hosting -
IN_PROGRESS
UPDATE_ROLLBACK_COMPLETE AWS::CloudFormation::Stack test-app-hosting -
---------------------------------------------------------------------------------------------------------------------------------------------
Error: Failed to create/update the stack: test-app-hosting, Waiter StackUpdateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "UPDATE_ROLLBACK_COMPLETE" at least once
Update #1
As bot #luk2302 and #Marcin pointed out, I were missing the Statement > Principal section (feel pretty dumb about it), but adding it gives now a new error:
---------------------------------------------------------------------------------------------------------------------------------------------
ResourceStatus ResourceType LogicalResourceId ResourceStatusReason
---------------------------------------------------------------------------------------------------------------------------------------------
UPDATE_IN_PROGRESS AWS::S3::BucketPolicy BucketPolicy -
UPDATE_FAILED AWS::S3::BucketPolicy BucketPolicy Invalid policy syntax. (Service:
Amazon S3; Status Code: 400;
Error Code: MalformedPolicy;
Request ID: NH6PZB3QF0747F4N; S3
Extended Request ID: xdXOFPWgHCjg
Lzf4gdjCg79NIXS6qtmtLuGn8N7NeLIOJ
4Qw2bgSJ2v6MKdNzbrMCWCEPKBc90E=;
Proxy: null)
UPDATE_ROLLBACK_IN_PROGRESS AWS::CloudFormation::Stack test-app-hosting The following resource(s) failed
to update: [BucketPolicy].
Resource is incorrectly intended, and you are missing Principal as described in AWS docs. It should be:
BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
DependsOn:
- AppBucket
- CloudFrontDistribution
Properties:
Bucket: !Ref AppBucket
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
- Sid: PolicyForCloudFrontPrivateContent
Action: 's3:GetObject*'
Effect: Allow
Principal:
Service: cloudfront.amazonaws.com
Resource:
- !Sub arn:aws:s3:::${AppBucket}
Condition:
StringLike:
'aws:Referer':
- !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'
Ok, after a lot of trial and error I found that the main problem where giving Resource and Condition.StringLike.aws:Referer array values instead of strings:
Wrong
Resource:
- !Sub arn:aws:s3:::${AppBucket}
Condition:
StringLike:
'aws:Referer':
- !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'
Right
Resource: !Sub arn:aws:s3:::${AppBucket}
Condition:
StringLike:
'aws:Referer': !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'
Related
So, this is a strange one. I'm actually using a pre-canned AWS solution that is failing to provision. I am following this document:
https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/deployment.html
The issue I am having is deploying the Template in STEP 2. Specifically, it calls out the below section:
Resources:
OrchestratorMemberRoleMemberAccountRoleBE9AD9D5:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":iam::"
- Ref: SecHubAdminAccount
- :role/SO0111-SHARR-Orchestrator-Admin
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
Fn::FindInMap:
- ServiceprincipalMap
- Ref: AWS::Region
- ssm
Version: "2012-10-17"
I have not edited this from what is provided, but the error that I get is as follows:
"Invalid principal in policy: "AWS":"arn:aws:iam::ACCOUNT-ID:role/SO0111-SHARR-Orchestrator-Admin" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: REQUEST-ID; Proxy: null)"
I downloaded the template and have been attempting to re-format the problem section, but I'm having no luck.
Anyone able to help on this?
Invalid principal in policy
Often indicates that such a principle does not exist. To create IAM role, a principle must already exist beforehand.
I'm attempting to update my AWS SAM template with additional permissions for an s3 bucket policy. I need the following additions: 's3:ListBucket', 's3:PutObject' and 's3:DeleteObject'
However im getting an invalid policy message when i deploy the updated template:
error message from github actions:
Policy has invalid resource (Service:Amazon S3; Status Code: 400; Error Code: MalformedPolicy;
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref MyWebsite
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
Sid: PublicRead
Effect: Allow
Principal: "*"
Action:
- 's3:ListBucket'
- 's3:GetObject'
- 's3:PutObject'
- 's3:DeleteObject'
Resource:
- "arn:aws:s3:::my-resume-wesite123456/*"
- "arn:aws:s3:::my-resume-wesite123456/"
I thought i may have a typo in the resource name but the bucket was created successfully with the code below.
Resources:
MyWebsite:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
BucketName: my-resume-wesite123456
Any advice greatly appreciated.
You can directly reference the bucket making your life a lot easier:
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref MyWebsite
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
Sid: PublicRead
Effect: Allow
Principal: "*"
Action:
- 's3:ListBucket'
- 's3:GetObject'
- 's3:PutObject'
- 's3:DeleteObject'
Resource:
- !Sub ${MyWebsite.Arn}/*
- !Sub ${MyWebsite.Arn}
I am trying to create endpoint in sagemaker using. below is serverless.yaml file
I am getting
PocModelEndPointRole" exists and that its trust relationship policy allows the action "sts:AssumeRole" for the service principal
After investigation stack event
I see
2022-05-25 02:03:03 UTC+0530 RModelEndpointModel CREATE_FAILED Could not access model data at s3://my-bucket/output/byom_poc/gre_score_knn.tar.gz. Please ensure that the role "arn:aws:iam::19:role/PocModelEndPointRole" exists and that its trust relationship policy allows the action "sts:AssumeRole" for the service principal "sagemaker.amazonaws.com". Also ensure that the role has "s3:GetObject" permissions and that the object is located in us-east-2. (Service: AmazonSageMaker; Status Code: 400; Error Code: ValidationException; Request ID: 243d62e4b-a7a1-488a-b89e-8aa0fb486296; Proxy: null)
2022-05-25 02:03:02 UTC+0530 ServiceNotificationTopic CREATE_IN_PROGRESS Resource creation Initiated
2022-05-25 02:03:02 UTC+0530 ModelEndpointRole CREATE_IN_PROGRESS Resource creation Initiated
2022-05-25 02:03:01 UTC+0530 ServiceNotificationTopic CREATE_IN_PROGRESS -
2022-05-25 02:03:01 UTC+0530 RModelEndpointModel CREATE_IN_PROGRESS -
2022-05-25 02:03:01 UTC+0530 ModelEndpointRole CREATE_IN_PROGRESS -
2022-05-25 02:02:57 UTC+0530 byom-pc-dev CREATE_IN_PROGRESS User Initiated
Serverless.yaml
resources:
Resources:
RModelEndpointRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: ${self:custom.modelEndpointRoleName}
PermissionsBoundary: ${self:provider.rolePermissionsBoundary}
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
- "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
- "arn:aws:iam::aws:policy/CloudWatchEventsFullAccess"
- "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- events.amazonaws.com
- states.amazonaws.com
- sagemaker.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: ${self:custom.modelEndpointRoleName}
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:List*
- s3:Get*
- s3:Put*
Resource:
- "arn:aws:s3:::${self:custom.deploymentBucket}/*"
- "arn:aws:s3:::${self:custom.deploymentBucket}"
RModelEndpoint:
Type: "AWS::SageMaker::Endpoint"
Properties:
EndpointConfigName:
!GetAtt RModelEndpointConfig.EndpointConfigName
RModelEndpointConfig:
Type: "AWS::SageMaker::EndpointConfig"
Properties:
ProductionVariants:
- InitialInstanceCount: 1
InitialVariantWeight: 1.0
InstanceType: ml.t2.large
# ModelName: "myrmodel"
# VariantName: "test1"
ModelName: !GetAtt RModelEndpointModel.ModelName
VariantName: !GetAtt RModelEndpointModel.ModelName
RModelEndpointModel:
Type: "AWS::SageMaker::Model"
Properties:
PrimaryContainer:
Image: ${self:custom.sagemakerRExecutionContainerURI}
Mode: SingleModel
#ModelDataUrl: !Sub s3://${AppBucket}/${ModelDataPath}
#ModelDataUrl: s3://${self:custom.deploymentBucket}/${self:service}/${self.custom.ModelDataPath}
ModelDataUrl: "s3://my-bucket/output/byom_poc/gre_score_knn.tar.gz"
ExecutionRoleArn: "${self:custom.modelEndpointRoleARN}"
Error that i am getting
Serverless Error ---------------------------------------
An error occurred: RModelEndpointModel - Could not access model data at s3://my-bucket/output/byom_poc/gre_score_knn.tar.gz. Please ensure that the role "arn:aws:iam::19:role/PocModelEndPointRole" exists and that its trust relationship policy allows the action "sts:AssumeRole" for the service principal "sagemaker.amazonaws.com". Also ensure that the role has "s3:GetObject" permissions and that the object is located in us-east-2. (Service: AmazonSageMaker; Status Code: 400; Error Code: ValidationException; Request ID: 83d62e4b-a7a1-488a-b89e-8aa0fb486296; Proxy: null).
I found this link
below code worked for me.
RModelEndpointModel:
DependsOn: ModelEndpointRole
Type: "AWS::SageMaker::Model"
I have a cloudformation stack which exports this role with some policies attached:
CodeBuildRole:
Type: AWS::IAM::Role
Properties:
RoleName: codebuild-role
AssumeRolePolicyDocument:
Statement:
- Action: ['sts:AssumeRole']
Effect: Allow
Principal:
Service:
- codebuild.amazonaws.com
- codepipeline.amazonaws.com
Version: '2012-10-17'
Path: /
Policies:
- etc....
The exported role name is cb-remove-role-id which I am then trying to import in another stack to be used by another codebuild project in a code pipeline
BuildProjectUK:
Type: AWS::CodeBuild::Project
Properties:
Name: !Sub ${ResourceContext}-build-uk
Description: UK build and deploy
ServiceRole: !ImportValue cb-remove-role-id
BadgeEnabled: false
Artifacts:
Type: CODEPIPELINE
Environment:
etc...
When trying to update the latter stack's template, I get this error:
Failed to call UpdateProject, reason: CodeBuild is not authorized to perform: sts:AssumeRole on arn:aws:iam::xxxxxxxxx:role/xxxxxxxxx (Service: AWSCodeBuild; Status Code: 400; Error Code: InvalidInputException; Request ID: xxxxxxxxxxxxxxxx; Proxy: null)
Any ideas why this may be or how I can resolve this?
Thanks
Exporting the role using the Arn instead of RoleId resolved the issue Thanks #Marcin
Failing output:
CodeBuildRemoveRoleId:
Description: ID of role used by remove codebuild project
Value: !GetAtt CodeBuildRole.RoleId
Export:
Name: cb-remove-role-id
Passing output:
CodeBuildRemoveRoleId:
Description: ID of role used by remove codebuild project
Value: !GetAtt CodeBuildRole.Arn
Export:
Name: cb-remove-role-id
I get the status UPDATE_FAILED for an S3 bucket with logical ID MyBucket explained by the following status reason in the cloudformation console:
Unable to validate the following destination configurations (Service:
Amazon S3; Status Code: 400; Error Code: InvalidArgument; Request ID:
ABCDEFGHIJK; S3 Extended Request ID:
Aqd2fih3ro981DED8wq48io9e51rSD5e3Fo3iw5ue31br;
Proxy: null)
I have the following CloudFormation template:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
MyBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: my-bucket-name
NotificationConfiguration:
QueueConfigurations:
- Event: s3:ObjectCreated:Put
Filter:
S3Key:
Rules:
- Name: suffix
Value: jpg
Queue: !GetAtt MyQueue.Arn
MyQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: my-queue
KmsMasterKeyId: alias/an-encryption-key
MyQueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- !Ref MyQueue
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- s3.amazonaws.com
Action: SQS:SendMessage
Resource: !GetAtt MyQueue.Arn
EncryptionKey:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Version: '2012-10-17'
Id: some-id
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: "kms:*"
Resource: '*'
KeyUsage: ENCRYPT_DECRYPT
EncryptionKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/an-encryption-key
TargetKeyId: !Ref EncryptionKey
What changes should I perform on the template in order to make the CloudFormation stack succeed?
The status reason is too vague for me to understand what is going wrong.
I know that it is related to the notification configuration because CloudFormation succeeds if I remove it.
Other similar posts on Stackoverflow mention a missing or inaccurate queue policy, but since I have a queue policy I do not think that that is the problem.
The problem is that since server side encryption is enabled on the queue, S3 should be able to:
let KMS generate an appropriate datakey
be able to decrypt using the EncryptionKey
Add a statement with the S3 service as principal that allows the abovementioned actions :
- Effect: Allow
Principal:
Service: s3.amazonaws.com
Action:
- kms:GenerateDataKey
- kms:Decrypt
Resource: "*"