creating SQS policy : its giving me error Resource handler returned message: "Invalid value for the parameter Policy. (Service: Sqs, Status Code: 400, Request ID: 5d7ffb34-bd69-5409-aec7-a1809c4f6aeb, Extended Request ID: null)" (RequestToken: 0f7979cf-6aae-a59b-e687-99ba47279537, HandlerErrorCode: GeneralServiceException)
Not sure what is wrong here , I have referred this Stackoverflow
SQSQueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Version: '2008-10-17'
Id: '__default_policy_ID'
Statement:
- Sid: '__owner_statement'
Effect: Allow
Principal:
AWS: 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'SQS:*'
Resource: !GetAtt test12StandardQueue.Arn
- Sid: 'Allow-SNS-SendMessage'
Effect: Allow
Principal: '*'
Action: SQS:SendMessage
Resource: !GetAtt test12StandardQueue.Arn
Condition:
ArnLike:
aws:SourceArn: !Ref SNSTopicARN
Queues:
- !Ref test12StandardQueue
I have tried instead of Version: '2008-10-17' or '2012-10-17' but same error
Instead of
AWS: 'arn:aws:iam::${AWS::AccountId}:root'
it should be:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Related
I'm trying to give SNS the permission to publish to an SQS queue but I keep getting error:
Invalid parameter: Policy Error: null (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID: a5459d05-e37a-5906-92c2-c16c4813cca0; Proxy: null)
I am using the serverless framework, and have read multiple posts describing the same issue but none of the fixes seem to work, here is my current version:
MyTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: 'allowsSNSToSQS'
Version: '2012-10-17'
Statement:
Sid: AllowSNStoPublishToSQS
Effect: Allow
Principle: "*"
Action: 'sqs:SendMessage'
Resource:
Fn::GetAtt: [MyQueue , Arn ]
Condition:
ArnEquals:
aws:SourceArn: { "Ref" : "MyTopic" }
Topics:
- { "Ref" : "MyTopic" }
Does anyone have any ideas? thanks
Along with the typo I was also using the wrong policy type, I should've been using AWS::SQS::QueuePolicy as can be seen below:
MyTopicPolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- {"Ref": "MyQueue"}
PolicyDocument:
Id: 'allowsSNSToSQS'
Version: '2012-10-17'
Statement:
Sid: AllowSNStoPublishToSQS
Effect: Allow
Principal:
Service: "sns.amazonaws.com"
Action: "sqs:SendMessage"
Resource:
Fn::GetAtt: [MyQueue , Arn ]
Condition:
ArnEquals:
aws:SourceArn: { "Ref" : "MyTopic" }
I am trying to create role with AWS managed permission with role using cloudformation but I am getting an error:
Cannot attach a Service Role Policy to a Customer Role. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: PolicyNotAttachable. Any help would be appreciated
code snippet:
AutoscalingRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [application-autoscaling.amazonaws.com]
Action: ['sts:AssumeRole']
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/aws-service-role/AutoScalingServiceRolePolicy'
ECSRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: ecs.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/aws-service-role/AmazonEC2ContainerServiceRole'
ECSTaskExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ecs-tasks.amazonaws.com]
Action: ['sts:AssumeRole']
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy'
It seems you provided wrong ARN for manafed policy. I looked up for those in aws console and i got:
arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole
Instead of your:
arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy
Just go to IAM policy panel in AWS Console and find them one by one, the arn is provided for each.
I want to create an IAM role with a read-only policy (arn:aws:iam::aws:policy/ReadOnlyAccess).
In order to prevent access to all objects on all buckets, I added a Deny section in Cloudformation template:
ReadOnlyAccessRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: read-only-role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Ref AwsAccount
Action: sts:AssumeRole
- Effect: Deny
Sid: DenyS3GetObject
Action: s3:GetObject
Resource: "arn:aws:s3:::/*"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/ReadOnlyAccess"
I get a "MalformedPolicyDocument" error in the Deny section (Resource).
I already tested these options :
Resource: "*"
Resource: "arn:aws:s3:::/*"
Resource: "arn:aws:s3:::prefix-bucket*"
Do you have any idea about this syntax error ?
EDIT :
Error from Cloudformation :
Blockquote Has prohibited field Resource (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: ......; Proxy: null)
enter code here
You seem to be missing the Policies section.
Try something like this:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
MyTestRole:
Type: AWS::IAM::Role
Properties:
RoleName: read-only-role
AssumeRolePolicyDocument:
Version: "2012-10-17"
- Effect: Allow
Principal:
AWS: !Ref AwsAccount
Action: sts:AssumeRole
Policies:
- PolicyName: EmbeddedInlinePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Deny
Action: s3:GetObject
Resource: '*'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/ReadOnlyAccess
Am trying to create a KMS KEY using cloudformation with below template, am getting an error as
Error:
MalformedPolicyDocumentExceptionnull (Service: AWSKMS; Status Code: 400; Error Code: MalformedPolicyDocumentException; Request ID: cc99c04e-8423-43a3-9183-313438544abb)
I have tried many ways to fix this issue but couldn't a find a solution.
Template:
PcsKmsCmk1:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Version: 2012-10-17
Id: default
Statement:
- Sid: Allow root account all permissions except to decrypt the key
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:root
Action: kms:*
Resource: '*'
- Sid: Enable AWSAdminRole to have full permissions to KMS key
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:/role/AWSAdminRole
Action: kms:*
Resource: '*'
Condition:
Bool:
kms:GrantIsForAWSResource: 'true'
In ARN, you used /role which is wrong.
For you reference
Use - !Sub arn:aws:iam::${AWS::AccountId}:role/AWSAdminRole instead of - !Sub arn:aws:iam::${AWS::AccountId}:/role/AWSAdminRole
Can't figure out what I am doing wrong, if I comment out the SNSAddTopicPolicy, everything works fine, however once uncommented I get:
SNSAddTopicPolicy - Invalid parameter: Policy Error: null (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID: 26870c3b-4829-5080-bd88-59e9524c08e4).
I have tried every single combination but can't get it to work, any help?
BucketAddEventInterfaceSNSTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: accounts-bucket-add-interface-dev
SNSAddTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: 'accounts-sns-add-policy-dev'
Version: 2012-10-17
Statement:
Sid: 'accounts-sns-add-statement-dev'
Effect: Allow
# this probably needs narrowed down
Principal:
AWS: '*'
Action: sns:Publish
Resource: { "Ref":"BucketAddEventInterfaceSNSTopic" }
Topics:
- { "Ref": "BucketAddEventInterfaceSNSTopic" }
It looks like you're mixing JSON and YAML syntax for the REF. Also, just to be safe you should put quotes around your version as shown below.
Your Policy should look more like this
SNSAddTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: 'accounts-sns-add-policy-dev'
Version: '2012-10-17'
Statement:
Sid: 'accounts-sns-add-statement-dev'
Effect: Allow
# this probably needs narrowed down
Principal:
AWS: '*'
Action: sns:Publish
Resource: !Ref BucketAddEventInterfaceSNSTopic
Topics:
- !Ref BucketAddEventInterfaceSNSTopic