So, this is a strange one. I'm actually using a pre-canned AWS solution that is failing to provision. I am following this document:
https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/deployment.html
The issue I am having is deploying the Template in STEP 2. Specifically, it calls out the below section:
Resources:
OrchestratorMemberRoleMemberAccountRoleBE9AD9D5:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":iam::"
- Ref: SecHubAdminAccount
- :role/SO0111-SHARR-Orchestrator-Admin
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
Fn::FindInMap:
- ServiceprincipalMap
- Ref: AWS::Region
- ssm
Version: "2012-10-17"
I have not edited this from what is provided, but the error that I get is as follows:
"Invalid principal in policy: "AWS":"arn:aws:iam::ACCOUNT-ID:role/SO0111-SHARR-Orchestrator-Admin" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: REQUEST-ID; Proxy: null)"
I downloaded the template and have been attempting to re-format the problem section, but I'm having no luck.
Anyone able to help on this?
Invalid principal in policy
Often indicates that such a principle does not exist. To create IAM role, a principle must already exist beforehand.
Related
I am getting the below error for my code in spite of the existence of roles mentioned.
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
- es.amazonaws.com
- lambda.amazonaws.com
- autoscaling.amazonaws.com
- rds.amazonaws.com
AWS:
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/${Product}${Environment}*'
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/infra-${Product}${Environment}*'
Action:
- sts:AssumeRole
Invalid principal in policy: "AWS":"arn:aws:iam::xxxxxxx:role/xxxx*" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument.
Any idea what I am doing wrong ?
You can't use wildcard in this way as noted in section Anonymous users (public) of https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html :
You cannot use a wildcard to match part of a name or an ARN.
Following alongside the tutorials, but changing some semantic things, I'm getting this error from serverless when I deploy:
An error occurred: GraphQlDsUsersRole - Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 4b486514-e57d-4828-9edc-f9150d8806b4; Proxy: null).
Doing a search on my directory, this role seems to be autogenerated into the .serverless file. How is this generated, and what could I have done to mess it up?
My serverless.yml file:
service: graphql-api
plugins:
- serverless-appsync-plugin
- serverless-pseudo-parameters
package:
exclude:
- node_modules/**
- ./node_modules/**
provider:
name: aws
runtime: nodejs12.x
region: us-east-1
custom:
stage: dev
appSync:
name: ${self:service}-${self:custom.stage}
authenticationType: API_KEY
mappingTemplates:
- dataSource: Users
type: Query
field: getUsers
request: 'getUsers-request-mapping-template.txt'
response: 'getUsers-response-mapping-template.txt'
schema: schema.graphql
dataSources:
- type: AMAZON_DYNAMODB
name: Users
description: User Table
config:
tableName: { Ref: UserTable }
serviceRoleARN: { Fn::GetAtt: [AppSyncDynamoDBServiceRole, Arn]}
iamRoleStatements:
- Effect: Allow
Action:
- 'dynamodb:*'
Resources:
- 'arn:aws:dynamodb:${self:provider.region}:#{AWS::AccountId}:table/Users'
- 'arn:aws:dynamodb:${self:provider.region}:#{AWS::AccountId}:table/Users/*'
resources:
- ${file(resources/roles.yml)}
- ${file(resources/dynamodb.yml)}
My roles.yml file:
AppSyncDynamoDBServiceRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: "Dynamo-${self:service}-Role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "appsync.amazonaws.com"
- "dynamodb.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: "Dynamo-${self:service}-Policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "dynamodb:Query"
- "dynamodb:BatchWriteItem"
- "dynamodb:GetItem"
- "dynamodb:DeleteItem"
- "dynamodb:PutItem"
- "dynamodb:Scan"
- "dynamodb:UpdateItem"
Resource:
- "arn:aws:dynamodb:${self:provider.region}:#{AWS::AccountId}:table/Users"
- "arn:aws:dynamodb:${self:provider.region}:#{AWS::AccountId}:table/Users/*"
Sorry for late response. Not sure if you found a solution yet, but I will answer anyway if that helps anyone
I notice 2 things here:
serviceRoleARN is misspelled. It should be serviceRoleArn
serviceRoleArn and iamRoleStatements are mutually exclusive. serviceRoleArn takes the ARN of a full already-existing role, while iamRoleStatements auto-generates the role for you with the provided policy statement. When both are provided, serviceRoleArn takes precedence.
So here, what what used was iamRoleStatements (because serviceRoleArn was misspelled).
The name of the generated resource confirms that: GraphQlDsUsersRole
As for why the policy is malformed, this is because Resource is misspelled too.
It has to be singular (even if you pass an array).
Am trying to create a KMS KEY using cloudformation with below template, am getting an error as
Error:
MalformedPolicyDocumentExceptionnull (Service: AWSKMS; Status Code: 400; Error Code: MalformedPolicyDocumentException; Request ID: cc99c04e-8423-43a3-9183-313438544abb)
I have tried many ways to fix this issue but couldn't a find a solution.
Template:
PcsKmsCmk1:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Version: 2012-10-17
Id: default
Statement:
- Sid: Allow root account all permissions except to decrypt the key
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:root
Action: kms:*
Resource: '*'
- Sid: Enable AWSAdminRole to have full permissions to KMS key
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:/role/AWSAdminRole
Action: kms:*
Resource: '*'
Condition:
Bool:
kms:GrantIsForAWSResource: 'true'
In ARN, you used /role which is wrong.
For you reference
Use - !Sub arn:aws:iam::${AWS::AccountId}:role/AWSAdminRole instead of - !Sub arn:aws:iam::${AWS::AccountId}:/role/AWSAdminRole
I'm trying to launch a scheduled instance which will be stopped and start at a specified time in each day (in AWS CloudFormation template).
it's my IAM role and policy that I defined for the lambda function:
RootRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: arn:aws:logs:*:*:*
- Effect: Allow
Action:
- ec2:Start*
- ec2:Stop*
Resource: "*"
when I create a stack, it return an error in the console(CREATE_FAILED) and the status reason is:
Has prohibited field Resource (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 3094b9eb-9f45-4763-8f21-9c3f2496fc52)
And after this error all the services related to this role are failed by this error:
The following resource(s) failed to create: [InternetGateway, SNSTopicNameCreate, LambdaInvocationsAlarm, RootRole, VPC, LambdaInvocationsAnomalyDetector]. . Rollback requested by user.
Your policy appears to be confusing the "Assume Role" section, which defines the Trust Policy, with the "Policy" section, which grants permissions to the IAM Role.
Try this:
AWSTemplateFormatVersion: 2010-09-09
Resources:
LambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: Lambda-Role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: AllowLogsAndEC2
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: arn:aws:logs:*:*:*
- Effect: Allow
Action:
- ec2:StartInstances
- ec2:StopInstances
Resource: "*"
Typically, the easiest way to create a policy is to copy an existing policy and make minor changes, or use the policy editor in the IAM console to generate most of what you want. You can then tweak the policy it provides.
Can't figure out what I am doing wrong, if I comment out the SNSAddTopicPolicy, everything works fine, however once uncommented I get:
SNSAddTopicPolicy - Invalid parameter: Policy Error: null (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID: 26870c3b-4829-5080-bd88-59e9524c08e4).
I have tried every single combination but can't get it to work, any help?
BucketAddEventInterfaceSNSTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: accounts-bucket-add-interface-dev
SNSAddTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: 'accounts-sns-add-policy-dev'
Version: 2012-10-17
Statement:
Sid: 'accounts-sns-add-statement-dev'
Effect: Allow
# this probably needs narrowed down
Principal:
AWS: '*'
Action: sns:Publish
Resource: { "Ref":"BucketAddEventInterfaceSNSTopic" }
Topics:
- { "Ref": "BucketAddEventInterfaceSNSTopic" }
It looks like you're mixing JSON and YAML syntax for the REF. Also, just to be safe you should put quotes around your version as shown below.
Your Policy should look more like this
SNSAddTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: 'accounts-sns-add-policy-dev'
Version: '2012-10-17'
Statement:
Sid: 'accounts-sns-add-statement-dev'
Effect: Allow
# this probably needs narrowed down
Principal:
AWS: '*'
Action: sns:Publish
Resource: !Ref BucketAddEventInterfaceSNSTopic
Topics:
- !Ref BucketAddEventInterfaceSNSTopic