I'm attempting to update my AWS SAM template with additional permissions for an s3 bucket policy. I need the following additions: 's3:ListBucket', 's3:PutObject' and 's3:DeleteObject'
However im getting an invalid policy message when i deploy the updated template:
error message from github actions:
Policy has invalid resource (Service:Amazon S3; Status Code: 400; Error Code: MalformedPolicy;
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref MyWebsite
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
Sid: PublicRead
Effect: Allow
Principal: "*"
Action:
- 's3:ListBucket'
- 's3:GetObject'
- 's3:PutObject'
- 's3:DeleteObject'
Resource:
- "arn:aws:s3:::my-resume-wesite123456/*"
- "arn:aws:s3:::my-resume-wesite123456/"
I thought i may have a typo in the resource name but the bucket was created successfully with the code below.
Resources:
MyWebsite:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
BucketName: my-resume-wesite123456
Any advice greatly appreciated.
You can directly reference the bucket making your life a lot easier:
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref MyWebsite
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
Sid: PublicRead
Effect: Allow
Principal: "*"
Action:
- 's3:ListBucket'
- 's3:GetObject'
- 's3:PutObject'
- 's3:DeleteObject'
Resource:
- !Sub ${MyWebsite.Arn}/*
- !Sub ${MyWebsite.Arn}
Related
I'm trying to setup an S3 bucket which notifies a Lambda function when a new object is created.
The stack below works fine but I want to added the SourceArn to the Lambda permission, following best practices.
There's some literature on this which suggests the way to do it is via a string rather than Fn::GetAtt/Arn -
https://aws.amazon.com/premiumsupport/knowledge-center/unable-validate-circular-dependency-cloudformation/
But if I uncomment the relevant SourceArn line and redeploy, I get -
Unable to validate the following destination configurations (Service: Amazon S3; Status Code: 400; Error Code: InvalidArgument; Request ID: TBZDEVZ1HVD9EN0Q; S3 Extended Request ID: gL3CRz6UayvHup5i5oC4+/RMm0p1oRaRrPVtfZrykeAaJ1BVuhNSKkqxQ8TL5sy749d9PtbMOEQ=; Proxy: null)
Ho hum. Looking at the article again, I see that MyBucket needs to depend on MyBucketFunctionPermission - but if I uncomment that and redeploy I now get -
An error occurred (ValidationError) when calling the CreateChangeSet operation: Circular dependency between resources: [MyBucketFunctionPermission, MyBucket]
This is some fresh circle of hell. Am I missing something from the article or is there some other combination of SourceArn format + DependsOn that would get this to work ?
TIA.
AWSTemplateFormatVersion: '2010-09-09'
Outputs: {}
Parameters: {}
Resources:
MyBucket:
# DependsOn:
# - MyBucketFunctionPermission
Properties:
NotificationConfiguration:
LambdaConfigurations:
- Event: s3:ObjectCreated:*
Function:
Fn::GetAtt:
- MyBucketFunction
- Arn
Type: AWS::S3::Bucket
MyBucketFunction:
Properties:
Code:
ZipFile: "def handler(event, context):\n print (event)"
Handler: index.handler
Role:
Fn::GetAtt:
- MyBucketRole
- Arn
Runtime: "python3.8"
Type: AWS::Lambda::Function
MyBucketFunctionPermission:
Properties:
Action: lambda:InvokeFunction
FunctionName:
Ref: MyBucketFunction
Principal: s3.amazonaws.com
# SourceArn:
# Fn::Sub: arn:aws:s3:::${MyBucket}
Type: AWS::Lambda::Permission
MyBucketRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
Policies:
- PolicyDocument:
Statement:
- Action: logs:*
Effect: Allow
Resource: '*'
Version: '2012-10-17'
PolicyName:
Fn::Sub: my-bucket-role-policy-1234567890
Type: AWS::IAM::Role
There is nothing seemingly wrong with your template. It works fine, at least for me. But a race condition is possible between MyBucket and MyBucketFunctionPermission. Thus, protect against this, you have to use DependsOn. But for that to work you have to explicitly set your bucket name. For example:
AWSTemplateFormatVersion: '2010-09-09'
Outputs: {}
Parameters: {}
Resources:
MyBucket:
DependsOn:
- MyBucketFunctionPermission
Properties:
BucketName: !Sub "my-bucket-323323-${AWS::StackName}-${AWS::Region}"
NotificationConfiguration:
LambdaConfigurations:
- Event: s3:ObjectCreated:*
Function:
Fn::GetAtt:
- MyBucketFunction
- Arn
Type: AWS::S3::Bucket
MyBucketFunction:
Properties:
Code:
ZipFile: "def handler(event, context):\n print (event)"
Handler: index.handler
Role:
Fn::GetAtt:
- MyBucketRole
- Arn
Runtime: "python3.8"
Type: AWS::Lambda::Function
MyBucketFunctionPermission:
Properties:
Action: lambda:InvokeFunction
FunctionName:
Ref: MyBucketFunction
Principal: s3.amazonaws.com
SourceArn: !Sub "arn:aws:s3:::my-bucket-323323-${AWS::StackName}-${AWS::Region}"
Type: AWS::Lambda::Permission
MyBucketRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
Policies:
- PolicyDocument:
Statement:
- Action: logs:*
Effect: Allow
Resource: '*'
Version: '2012-10-17'
PolicyName:
Fn::Sub: my-bucket-role-policy-1234567890
Type: AWS::IAM::Role
I am trying to create an IAM role via cloudformation for an existing IAM user as principle and an existing dynamodb table. I have verified through yamllint and yaml is well-formatted and yet cloudformation is complaining about malformatted file.
Following is my cloudformation template:
AWSTemplateFormatVersion: 2010-09-09
Parameters:
vTableName:
Type: String
Description: the tablename
Default: arn:aws:dynamodb:ap-southeast-2:1234567:table/test-table
vUserName:
Type: String
Description: New account username
Default: mytestuser
Resources:
DynamoRoleForTest:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS:
- !Sub 'arn:aws:iam::${AWS::AccountId}:user/${vUserName}'
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: DynamoPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
- Action:
- dynamodb:BatchGet*
- dynamodb:DescribeStream
- dynamodb:DescribeTable
- dynamodb:Get*
- dynamodb:Query
- dynamodb:Scan
Resource: !Ref vTableName
and following is error I receive,when I try to create this template:
Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 237dd218-a2a2-4194-9063-104f8022cb80)
Thanks for any advice.
There is not-needed - in your Action:
- Action:
Therefore, your template should be (removed -):
AWSTemplateFormatVersion: 2010-09-09
Parameters:
vTableName:
Type: String
Description: the tablename
Default: arn:aws:dynamodb:ap-southeast-2:1234567:table/test-table
vUserName:
Type: String
Description: New account username
Default: mytestuser
Resources:
DynamoRoleForTest:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS:
- !Sub 'arn:aws:iam::${AWS::AccountId}:user/${vUserName}'
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: DynamoPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- dynamodb:BatchGet*
- dynamodb:DescribeStream
- dynamodb:DescribeTable
- dynamodb:Get*
- dynamodb:Query
- dynamodb:Scan
Resource: !Ref vTableName
Principle is fine, assuming it exists.
I have 2 policies each for S3 and Kinesis stream which includes DescribeStream. The S3 policy works well but I am getting this error with KinesisPolicy.
Resources:
S3
KinesisStream
Firehose
Role:
FirehoseRole
Policies:
S3 policy with the following permissions:
- 's3:AbortMultipartUpload'
- 's3:GetBucketLocation'
- 's3:GetObject'
- 's3:ListBucket'
- 's3:ListBucketMultipartUploads'
- 's3:PutObject'
Kinesis Policy with the following permissions:
- 'kinesis:PutRecord'
- 'kinesis:DescribeStreamSummary'
- 'kinesis:PutRecords'
- 'kinesis:GetShardIterator'
- 'kinesis:GetRecords'
- 'kinesis:DescribeStream'
Error:
The role (firehoseRole) is not authorized to perform DescribeStream on MyKinesisStream.
Cloud formation template
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
VersioningConfiguration:
Status: Enabled
firehoseRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: firehose.amazonaws.com
Action: 'sts:AssumeRole'
Condition:
StringEquals:
'sts:ExternalId': !Ref 'AWS::AccountId'
DeliveryPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: firehose_delivery_policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 's3:AbortMultipartUpload'
- 's3:GetBucketLocation'
- 's3:GetObject'
- 's3:ListBucket'
- 's3:ListBucketMultipartUploads'
- 's3:PutObject'
Resource:
- !Sub 'arn:aws:s3:::${S3Bucket}'
- !Sub 'arn:aws:s3:::${S3Bucket}*'
Roles:
- !Ref firehoseRole
KinesisPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: kinesis_policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'kinesis:PutRecord'
- 'kinesis:DescribeStreamSummary'
- 'kinesis:PutRecords'
- 'kinesis:GetShardIterator'
- 'kinesis:GetRecords'
- 'kinesis:DescribeStream'
Resource:
- !GetAtt MyKinesisStream.Arn
Roles:
- !Ref firehoseRole
MyKinesisStream:
Type: AWS::Kinesis::Stream
Properties:
ShardCount: 1
DeliveryStream:
Type: AWS::KinesisFirehose::DeliveryStream
Properties:
DeliveryStreamType: KinesisStreamAsSource
KinesisStreamSourceConfiguration:
KinesisStreamARN: !GetAtt MyKinesisStream.Arn
RoleARN: !GetAtt firehoseRole.Arn
S3DestinationConfiguration:
BucketARN: !GetAtt S3Bucket.Arn
BufferingHints:
IntervalInSeconds: 60
SizeInMBs: 50
CompressionFormat: UNCOMPRESSED
Prefix: firehose/
RoleARN: !GetAtt firehoseRole.Arn
I was able to resolve the error. I had to add DependsOn To DeliveryStream and include both the policies.
for days I have not been able to figure out why one AWS role is not authorized to perform AssumeRole on another. In this case I have a dev-account with AWS CodeCommit on it, and a tools account with CodePipeline. I am trying to allow CodePipeline (in tools) to access CodeCommit (in dev), but am always told that the role in tools is not authorized to do so.
Here is my CloudFormation template to create a role in dev:
AWSTemplateFormatVersion: "2010-09-09"
Description: Cross Account Role to Allow Access to CodePipeline in Tools Account
Parameters:
ToolsAccount:
Description: AWS AccountNumber for tools account
Type: Number
Resources:
Role:
Type: AWS::IAM::Role
Properties:
RoleName: access-codecommit-in-dev
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- !Ref ToolsAccount
Action:
- sts:AssumeRole
Path: /
Policy:
Type: AWS::IAM::Policy
Properties:
PolicyName: !Sub ToolsAcctCodePipelineCodeCommitPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- codecommit:BatchGetRepositories
- codecommit:Get*
- codecommit:GitPull
- codecommit:List*
- codecommit:CancelUploadArchive
- codecommit:UploadArchive
- s3:*
Resource: "*"
Roles:
- !Ref Role
Here is the CloudFormation template that creates CodePipeline:
Description: "Code pipeline to deploy frontend"
Parameters:
DevAccount:
Description: AWS AccountNumber for dev
Type: Number
TestAccount:
Description: AWS AccountNumber for test
Type: Number
Resources:
BuildProjectRole:
Type: AWS::IAM::Role
Properties:
RoleName: codebuild-role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- codebuild.amazonaws.com
Action:
- sts:AssumeRole
BuildProjectPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: codebuild-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- s3:PutObject
- s3:GetBucketPolicy
- s3:GetObject
- s3:ListBucket
Resource:
- "bucketNameHere"
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: arn:aws:logs:*:*:*
Roles:
- !Ref BuildProjectRole
PipeLineRole:
Type: AWS::IAM::Role
Properties:
RoleName: codepipeline-role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- codepipeline.amazonaws.com
Action:
- sts:AssumeRole
PipelinePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: codepipeline-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- codepipeline:*
- iam:ListRoles
- cloudformation:Describe*
- cloudFormation:List*
- codecommit:List*
- codecommit:Get*
- codecommit:GitPull
- codecommit:UploadArchive
- codecommit:CancelUploadArchive
- codebuild:BatchGetBuilds
- codebuild:StartBuild
- cloudformation:CreateStack
- cloudformation:DeleteStack
- cloudformation:DescribeStacks
- cloudformation:UpdateStack
- cloudformation:CreateChangeSet
- cloudformation:DeleteChangeSet
- cloudformation:DescribeChangeSet
- cloudformation:ExecuteChangeSet
- cloudformation:SetStackPolicy
- cloudformation:ValidateTemplate
- iam:PassRole
- s3:ListAllMyBuckets
- s3:GetBucketLocation
Resource:
- "*"
- Effect: Allow
Action:
- s3:PutObject
- s3:GetBucketPolicy
- s3:GetObject
- s3:ListBucket
Resource:
- "bucketName"
- Effect: Allow
Action:
- sts:AssumeRole
Resource:
- !Sub arn:aws:iam::${DevAccount}:role/crossaccount-codecommit-access
Roles:
- !Ref PipeLineRole
FrontEndPipeline:
Type: "AWS::CodePipeline::Pipeline"
Properties:
ArtifactStore:
Type: "S3"
Location: "bucketName"
Name: "frontend-deploy"
RoleArn: !GetAtt PipeLineRole.Arn
Stages:
- Name: "Code-Fetch"
Actions:
- Name: "stage-source"
ActionTypeId:
Category: Source
Owner: AWS
Provider: CodeCommit
Version: 1
OutputArtifacts:
- Name: SourceCode
Configuration:
PollForSourceChanges: true
BranchName: develop
RepositoryName: "nameHere"
RunOrder: 1
RoleArn: !Sub arn:aws:iam::${DevAccount}:role/crossaccount-codecommit-access
- Name: Build
Actions:
- Name: "Build-Source"
ActionTypeId:
Category: Build
Owner: AWS
Version: "1"
Provider: CodeBuild
InputArtifacts:
- Name: SourceCode
OutputArtifacts:
- Name: DeployOutput
Configuration:
ProjectName: "CodeBuild"
RunOrder: 1
- Name: Deploy
Actions:
- Name: deploy
ActionTypeId:
Category: Deploy
Owner: AWS
Version: "1"
Provider: S3
InputArtifacts:
- Name: DeployOutput
Configuration:
BucketName: "bucketNameHere"
Extract: true
#RoleArn: !Sub arn:aws:iam::${TestAccount}:role/cloudformationdeployer-role
CodeBuildProject:
Type: AWS::CodeBuild::Project
Properties:
Name: "CodeBuild"
ServiceRole: !GetAtt BuildProjectRole.Arn
Artifacts:
Type: CODEPIPELINE
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Type: LINUX_CONTAINER
Image: node:13
Source:
Type: CODEPIPELINE
What could possibly be generating this error:
arn:aws:iam::{ToolsAccount}:role/projectName-codepipeline-role is not authorized to perform AssumeRole on role arn:aws:iam::{DevAcciybt}:role/access-codecommit-in-dev (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException; Request ID: (ID here))
Does the role
arn:aws:iam::{ToolsAccount}:role/projectName-codepipeline-role have permission to assume the role in dev account something like below:
{
"Sid": "AssumeCrossAccountRole"
"Effect": "Allow",
"Actions": "sts:AssumeRole",
"Resource": "ARN of dev account role"
}
else
Try out with passing ARN arn:aws:iam::{ToolsAccount}:role/projectName-codepipeline-role in the AWS principal instead of account number for the role which you are creating in dev account
I'm getting this strange error
Access to Role 'cognito role' is forbidden.
while creating a cloud formation stack here is my cloud formation file in yaml format.
I'm basically creating a s3 bucket and a cognito identity to facilate client side access to my bucket the whole thing is working fine except this error
Access to Role 'phototest-cognitoRole-1AMKUVXUXAJ5H' is forbidden. (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: NotAuthorizedException
AWSTemplateFormatVersion: 2010-09-09
Resources:
photoBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: it-academy-photos-bucket
CorsConfiguration:
CorsRules:
- AllowedHeaders: ['*']
AllowedMethods: [GET,POST,PUT]
AllowedOrigins: ['*']
Id: myrules
cognitoRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: Allow
Principal:
Federated:
- "cognito-identity.amazonaws.com"
Action:
- sts:AssumeRoleWithWebIdentity
Policies:
-
PolicyName: "photo_client_policy"
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Sid: VisualEditor1
Effect: Allow
Action:
- s3:PutObject
- s3:GetObjectAcl
- s3:GetObject
- s3:GetObjectTorrent
- s3:GetObjectVersionAcl
- s3:PutObjectVersionTagging
- s3:GetObjectTagging
- s3:PutObjectTagging
- s3:PutBucketCORS
- s3:PutObjectAcl
- s3:GetObjectVersion
Resource: "*"
cognitoIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName: "photo_bucket"
AllowUnauthenticatedIdentities: true
cognitoIdentityPoolRoleAttachment:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref cognitoIdentityPool
Roles:
unauthenticated: !Ref cognitoRole
I was having the same problem and figured out the unauthenticated role needs the Arn and not the logical ID. This should fix the issue:
cognitoIdentityPoolRoleAttachment:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref cognitoIdentityPool
Roles:
unauthenticated: !GetAtt cognitoRole.Arn