I am getting the below error for my code in spite of the existence of roles mentioned.
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
- es.amazonaws.com
- lambda.amazonaws.com
- autoscaling.amazonaws.com
- rds.amazonaws.com
AWS:
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/${Product}${Environment}*'
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/infra-${Product}${Environment}*'
Action:
- sts:AssumeRole
Invalid principal in policy: "AWS":"arn:aws:iam::xxxxxxx:role/xxxx*" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument.
Any idea what I am doing wrong ?
You can't use wildcard in this way as noted in section Anonymous users (public) of https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html :
You cannot use a wildcard to match part of a name or an ARN.
Related
So, this is a strange one. I'm actually using a pre-canned AWS solution that is failing to provision. I am following this document:
https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/deployment.html
The issue I am having is deploying the Template in STEP 2. Specifically, it calls out the below section:
Resources:
OrchestratorMemberRoleMemberAccountRoleBE9AD9D5:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":iam::"
- Ref: SecHubAdminAccount
- :role/SO0111-SHARR-Orchestrator-Admin
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
Fn::FindInMap:
- ServiceprincipalMap
- Ref: AWS::Region
- ssm
Version: "2012-10-17"
I have not edited this from what is provided, but the error that I get is as follows:
"Invalid principal in policy: "AWS":"arn:aws:iam::ACCOUNT-ID:role/SO0111-SHARR-Orchestrator-Admin" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: REQUEST-ID; Proxy: null)"
I downloaded the template and have been attempting to re-format the problem section, but I'm having no luck.
Anyone able to help on this?
Invalid principal in policy
Often indicates that such a principle does not exist. To create IAM role, a principle must already exist beforehand.
Am trying to create a KMS KEY using cloudformation with below template, am getting an error as
Error:
MalformedPolicyDocumentExceptionnull (Service: AWSKMS; Status Code: 400; Error Code: MalformedPolicyDocumentException; Request ID: cc99c04e-8423-43a3-9183-313438544abb)
I have tried many ways to fix this issue but couldn't a find a solution.
Template:
PcsKmsCmk1:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Version: 2012-10-17
Id: default
Statement:
- Sid: Allow root account all permissions except to decrypt the key
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:root
Action: kms:*
Resource: '*'
- Sid: Enable AWSAdminRole to have full permissions to KMS key
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:/role/AWSAdminRole
Action: kms:*
Resource: '*'
Condition:
Bool:
kms:GrantIsForAWSResource: 'true'
In ARN, you used /role which is wrong.
For you reference
Use - !Sub arn:aws:iam::${AWS::AccountId}:role/AWSAdminRole instead of - !Sub arn:aws:iam::${AWS::AccountId}:/role/AWSAdminRole
i'm facing the below error while specifying the specific resource but if i use * it is working fine. Please suggest.
Error :
com.amazonaws.services.sns.model.AuthorizationErrorException: User: arn:aws:sts::11111111:
assumed-role/iam-role_test/1234567 is not authorized to perform: SNS:ListTopics on resource: arn:aws:sns:us-east-1:11111111:*
(Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError; Request ID: fae398a7-b776-5643-9f30-ce5a80344)
Below is the policy :
ICMEC2Policy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: pe_test
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'SNS:ListTopics'
- 'SNS:Publish'
- 'SNS:Unsubscribe'
- 'SNS:ListTagsForResource'
Resource:
- !Sub 'arn:aws:sns:${AWS::Region}:${AWS::AccountId}:workflow-alerts'
Judging by the error message, it might be that in the code your user tries to list all topics and not just the one you provided it access to
I'm trying to launch a scheduled instance which will be stopped and start at a specified time in each day (in AWS CloudFormation template).
it's my IAM role and policy that I defined for the lambda function:
RootRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: arn:aws:logs:*:*:*
- Effect: Allow
Action:
- ec2:Start*
- ec2:Stop*
Resource: "*"
when I create a stack, it return an error in the console(CREATE_FAILED) and the status reason is:
Has prohibited field Resource (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 3094b9eb-9f45-4763-8f21-9c3f2496fc52)
And after this error all the services related to this role are failed by this error:
The following resource(s) failed to create: [InternetGateway, SNSTopicNameCreate, LambdaInvocationsAlarm, RootRole, VPC, LambdaInvocationsAnomalyDetector]. . Rollback requested by user.
Your policy appears to be confusing the "Assume Role" section, which defines the Trust Policy, with the "Policy" section, which grants permissions to the IAM Role.
Try this:
AWSTemplateFormatVersion: 2010-09-09
Resources:
LambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: Lambda-Role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: AllowLogsAndEC2
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: arn:aws:logs:*:*:*
- Effect: Allow
Action:
- ec2:StartInstances
- ec2:StopInstances
Resource: "*"
Typically, the easiest way to create a policy is to copy an existing policy and make minor changes, or use the policy editor in the IAM console to generate most of what you want. You can then tweak the policy it provides.
I am trying to create an AWS KMS Key Policy and have been plagued trying to get Cloudformation to accept the key policy. Everything I have been able to find and read says this policy should be valid and the syntax is correct as it runs, but returns MalformedPolicyDocumentExceptionnull (Service: AWSKMS; Status Code: 400;
Has anyone else run into this, if so, any thoughts or suggestions on how I can resolve the errors? I've been stuck and banging my head on this one and can't see what I'm missing and my google-fu is failing me.
Code Snippet:
SnowflakeProdKMS:
Type: AWS::KMS::Key
Properties:
Description: KMS key used by Snowflake to encrypt/decrypt data stored in s3
Enabled: True
EnableKeyRotation: False
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- kms:*
Resource: '*'
- Sid: Enable AWSAdminRole to have full permissions to KMS key
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:/role/AWSAdminRole
Action: kms:*
Resource: '*'
- Sid: Allow use of the key by other roles
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:role/AWSAdminRole
# - !Sub arn:aws:iam::${AWS::AccountId}:role/SnowflakeAccessRole
Action:
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt
- kms:GenerateDataKey
- kms:DescribeKey
Resource: '*'
- Sid: Allow attachment of persistent resources
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:role/AWSAdminRole
# - !Sub arn:aws:iam::${AWS::AccountId}:role/SnowflakeAccessRole
- !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- kms:CreateGrant
- kms:ListGrants
- kms:RevokeGrant
Resource: '*'
Condition:
Bool:
- kms:GrantIsForAWSResource: 'true'
After much trial and error and reaching out to other partners I found the solution for the above issue.
The Condition on snippet above was incorrect and should have been formatted as follows:
Condition:
Bool:
"kms:GrantIsForAWSResource": true
Once changed to this the policy went in without issue.