While Trying to Deploy AWS SAM the Stack creation is failing with the following error:
Value of property Roles must be of type List of String
As the Template file is very big I am just giving the part for the Policies Section
Policies:
Type: AWS::IAM::Policy
Properties:
PolicyName: !Join ['',['lambdaExecutionPolicy',!FindInMap [Variables,Vid,value]]]
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: 'dynamodb:Query'
Resource: '*'
- Effect: Allow
Action: 'logs:*'
Resource: 'arn:aws:logs:*:*:*'
- Effect: Allow
Action:
- 's3:GetObject'
- 's3:PutObject'
Resource: 'arn:aws:s3:::*'
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: '*'
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: '*'
- Effect: Allow
Action: 'sns:Publish'
Resource: !Ref mysubscription
Roles: !Ref lambdaexecutionrole'
While Executing the CFT
As per docs, Roles has the form of:
Roles:
- String
Thus in your case, you should have:
Roles:
- !Ref lambdaexecutionrole
or
Roles: [!Ref lambdaexecutionrole]
Is it possible to write your custom permissions boundary policy inside the AWS CloudFormation for AWS Lambda's LambdaExecutionRole?
It could be best if I could write all the necessary policies for the LambdaExecutionRole inside this code instead of using !Ref or !Sub.
Please see the PermissionBoundary part
(This code doesn't work because of misconfigured permission boundary part)
LambdaExecutionRole:
Description: Creating service role in IAM for AWS Lambda
Type: AWS::IAM::Role
Properties:
RoleName: !Sub 'CodeStar-${ProjectId}-Execution${Stage}'
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [lambda.amazonaws.com]
Action: sts:AssumeRole
Path: /
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
PermissionsBoundary: !Sub
Properties:
PolicyDocument:
Statement:
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:PutLogEvents
- xray:Put*
Effect: Allow
Resource: '*'
Sadly you can't do this. PermissionsBoundary requires ARN to IAM policy. So first you have to create AWS::IAM::ManagedPolicy and then reference it's ARN in PermissionsBoundary.
I am trying to access an IAM role which I created using aws console. The role was simple as I had to give in ecs taskexcutionrole so that it has the permission to pull the image from ECR. I have come up with this code what am I missing in this code?
Role:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::02004621356:role/ecs-ec2-task
2- What if I want to create a new task execution role and give only permission to pull the image from ECR what changes I should make?
The trust principle should be ecs-tasks.amazonaws.com:
Role:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::02004621356:role/ecs-ec2-task
Policies:
- PolicyName: AccessECR
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- ecr:BatchGetImage
- ecr:GetAuthorizationToken
- ecr:GetDownloadUrlForLayer
Resource: '*'
I am trying to access S3 bucket from a Camel Router running in docker container deployed in ECS.
Host EC2 instance has IAM policies which provide access to S3 bucket and I have verified this by running a standalone router directly in EC2. But when I tried the program inside a container it is throwing an exception stating that "Access Denied" to S3 bucket.
After this, I tried providing a Task IAM Role by adding TaskRoleArn in my Cloudformation but that didn't help, still the same exception.
Not sure if I am missing anything here, any suggestions?
[Edit, adding the IAM policy here]
This is my IAM policy for host, similar one I created for Task Role as well with the trust relationship to ‘ecs-tasks.amazonaws.com’
This is my IAM policy for host, similar one I created for Task Role as well with the trust relationship to ‘ecs-tasks.amazonaws.com’
EC2Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
- ecs.amazonaws.com
Action:
- sts:AssumeRole
Path: /Developer/
Policies:
- PolicyName: ecs-service
PolicyDocument:
Statement:
- Effect: Allow
Action:
- logs:CreateLogStream
- logs:CreateLogGroup
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- logs:PutLogEvents
- logs:GetLogEvents
- logs:FilterLogEvents
Resource: '*'
- PolicyName: ep-bucket-policy
PolicyDocument:
Statement:
- Sid: bucket1
Effect: Allow
Action:
- s3:GetObject
- s3:GetObjectAcl
- s3:AbortMultipartUpload
- s3:GetObjectTagging
- s3:DeleteObject
- s3:ListMultipartUploadParts
Resource: *
- Sid: bucket2
Effect: Allow
Action: s3:ListObjects
Resource: "*"
- PolicyName: ep-ecr-policy
PolicyDocument:
Statement:
- Sid: ecr1
Effect: Allow
Action:
- ecr:BatchCheckLayerAvailability
- ecr:GetDownloadUrlForLayer
- ecr:GetRepositoryPolicy
- ecr:DescribeRepositories
- ecr:ListImages
- ecr:BatchGetImage
Resource:
- !Sub 'arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*’
- Sid: ecr2
Effect: Allow
Action:
- ecr:GetAuthorizationToken
Resource: '*'
- PolicyName: ep-ecs-policy
PolicyDocument:
Statement:
- Sid: ecs1
Effect: Allow
Action:
- ecs:SubmitTaskStateChange
- ecs:RegisterContainerInstance
- ecs:SubmitContainerStateChange
- ecs:DeregisterContainerInstance
Resource: !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/Custom-*’
- Sid: ecs2
Effect: Allow
Action:
- ecs:Poll
- ecs:DiscoverPollEndpoint
- ecs:StartTelemetrySession
- ecs:CreateCluster
Resource: "*"
The title says it all. I am getting this error whenever I try to create a KMS key via an AWS CloudFormation template. I am creating the template as an IAM user with administrative permissions, and I want the key to be manageable by any IAM user in the same AWS account with KMS permissions. I am using the following YAML resource definition for the key:
LambdaKmsKey:
Type: AWS::KMS::Key
Properties:
Enabled: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: kms:*
Principal:
AWS: <Principle>
And yet, NONE of the following values for <Principal> are working, even if I try to create the stack as the root user!
!Join [ "", [ "arn:aws:iam::", !Ref "AWS::AccountId", ":root" ] ]
!Join [ "", [ "arn:aws:sts::", !Ref "AWS::AccountId", ":root" ] ]
!Ref "AWS::AccountId"
I can't just hardcode my user name for the Principal because I want this template to be instantiable by anyone with stack creation permissions. Does anyone know how to resolve this enormously frustrating situation? Thanks in advance.
EDIT:
I should mention that I no longer define KMS Key policies in CloudFormation Templates. In fact, I now avoid defining any security resources in my CF Templates at all, such as IAM entities, policies, and ACM certificates. My reasons for this are described in this GitHub issue.
You are missing the Resource: "*" attribute. This worked for me:
LambdaKmsKey:
Type: AWS::KMS::Key
Properties:
Enabled: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: kms:*
Resource: "*"
Principal:
AWS: !Join [ "", [ "arn:aws:iam::", !Ref "AWS::AccountId", ":root" ] ]
The Resource: "*" is required and is the only possible value:
Resource – (Required) In a key policy, you use "*" for the resource, which means "this CMK." A key policy applies only to the CMK it is attached to.
See https://aws.amazon.com/premiumsupport/knowledge-center/update-key-policy-future/ for an example.
In case this helps someone, be aware of the remark in https://aws.amazon.com/premiumsupport/knowledge-center/update-key-policy-future/
Important: Be sure that the key policy that you create allows the current user to administer the CMK.
I was having this issue while deploying my template from a pipeline and the proposed solutions did not work for me. The role used to deploy the template had the corresponding kms permissions, but it needed to be also in the principal of a the key policy!
- Effect: Allow
Action: kms:*
Resource: "*"
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:role/PipelineRole
LambdaKmsKey:
Type: AWS::KMS::Key
Properties:
Description: Key for Lambda function
Enabled: True
KeyPolicy:
Version: '2012-10-17'
Id: key-consolepolicy-3
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::AwsAccountId:root
Action: kms:*
Resource: "*"
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS:
Fn::GetAtt: [ IamRoleLambdaExecution, Arn ]
Action:
- kms:Decrypt
- kms:Encrypt
Resource: "*"
This policy is bit dangerous because it gives any user or role under the account with kms:decrypt permission to decrypt and view the key, which is not safe and it fails pen testing.
If you want to take away permission to decrypt.
LambdaKmsKey:
Type: AWS::KMS::Key
Properties:
Description: Key for Lambda function
Enabled: True
KeyPolicy:
Version: '2012-10-17'
Id: key-consolepolicy-3
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::AwsAccountId:role/sudo
Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kmzs:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
- kms:Encrypt
Resource: "*"
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::AwsAccountId:role/admin
Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kmzs:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
- kms:Encrypt
Resource: "*"
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::AwsAccountId:root
Action:
- kms:List*
- kms:Get*
- kms:Encrypt
Resource: "*"
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS:
Fn::GetAtt: [ IamRoleLambdaExecution, Arn ]
Action:
- kms:Decrypt
- kms:Encrypt
Resource: "*"
This way I am giving all other permission except decrypt to sudo and admin roles(Make sure you have those roles present)
and I am giving list, get and encrypt permission to roles and users that has list, get and encrypt permissions.
I got the same error when I tried creating CMK through lambda. So I add the lambda role arn in key policy while creating the key.
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn of lambda role"
}
}