Am trying to create a KMS KEY using cloudformation with below template, am getting an error as
Error:
MalformedPolicyDocumentExceptionnull (Service: AWSKMS; Status Code: 400; Error Code: MalformedPolicyDocumentException; Request ID: cc99c04e-8423-43a3-9183-313438544abb)
I have tried many ways to fix this issue but couldn't a find a solution.
Template:
PcsKmsCmk1:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Version: 2012-10-17
Id: default
Statement:
- Sid: Allow root account all permissions except to decrypt the key
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:root
Action: kms:*
Resource: '*'
- Sid: Enable AWSAdminRole to have full permissions to KMS key
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:/role/AWSAdminRole
Action: kms:*
Resource: '*'
Condition:
Bool:
kms:GrantIsForAWSResource: 'true'
In ARN, you used /role which is wrong.
For you reference
Use - !Sub arn:aws:iam::${AWS::AccountId}:role/AWSAdminRole instead of - !Sub arn:aws:iam::${AWS::AccountId}:/role/AWSAdminRole
Related
I am trying to create role with AWS managed permission with role using cloudformation but I am getting an error:
Cannot attach a Service Role Policy to a Customer Role. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: PolicyNotAttachable. Any help would be appreciated
code snippet:
AutoscalingRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [application-autoscaling.amazonaws.com]
Action: ['sts:AssumeRole']
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/aws-service-role/AutoScalingServiceRolePolicy'
ECSRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: ecs.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/aws-service-role/AmazonEC2ContainerServiceRole'
ECSTaskExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ecs-tasks.amazonaws.com]
Action: ['sts:AssumeRole']
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy'
It seems you provided wrong ARN for manafed policy. I looked up for those in aws console and i got:
arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole
Instead of your:
arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy
Just go to IAM policy panel in AWS Console and find them one by one, the arn is provided for each.
creating SQS policy : its giving me error Resource handler returned message: "Invalid value for the parameter Policy. (Service: Sqs, Status Code: 400, Request ID: 5d7ffb34-bd69-5409-aec7-a1809c4f6aeb, Extended Request ID: null)" (RequestToken: 0f7979cf-6aae-a59b-e687-99ba47279537, HandlerErrorCode: GeneralServiceException)
Not sure what is wrong here , I have referred this Stackoverflow
SQSQueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Version: '2008-10-17'
Id: '__default_policy_ID'
Statement:
- Sid: '__owner_statement'
Effect: Allow
Principal:
AWS: 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'SQS:*'
Resource: !GetAtt test12StandardQueue.Arn
- Sid: 'Allow-SNS-SendMessage'
Effect: Allow
Principal: '*'
Action: SQS:SendMessage
Resource: !GetAtt test12StandardQueue.Arn
Condition:
ArnLike:
aws:SourceArn: !Ref SNSTopicARN
Queues:
- !Ref test12StandardQueue
I have tried instead of Version: '2008-10-17' or '2012-10-17' but same error
Instead of
AWS: 'arn:aws:iam::${AWS::AccountId}:root'
it should be:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
I'm trying to launch a scheduled instance which will be stopped and start at a specified time in each day (in AWS CloudFormation template).
it's my IAM role and policy that I defined for the lambda function:
RootRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: arn:aws:logs:*:*:*
- Effect: Allow
Action:
- ec2:Start*
- ec2:Stop*
Resource: "*"
when I create a stack, it return an error in the console(CREATE_FAILED) and the status reason is:
Has prohibited field Resource (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 3094b9eb-9f45-4763-8f21-9c3f2496fc52)
And after this error all the services related to this role are failed by this error:
The following resource(s) failed to create: [InternetGateway, SNSTopicNameCreate, LambdaInvocationsAlarm, RootRole, VPC, LambdaInvocationsAnomalyDetector]. . Rollback requested by user.
Your policy appears to be confusing the "Assume Role" section, which defines the Trust Policy, with the "Policy" section, which grants permissions to the IAM Role.
Try this:
AWSTemplateFormatVersion: 2010-09-09
Resources:
LambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: Lambda-Role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: AllowLogsAndEC2
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: arn:aws:logs:*:*:*
- Effect: Allow
Action:
- ec2:StartInstances
- ec2:StopInstances
Resource: "*"
Typically, the easiest way to create a policy is to copy an existing policy and make minor changes, or use the policy editor in the IAM console to generate most of what you want. You can then tweak the policy it provides.
Can't figure out what I am doing wrong, if I comment out the SNSAddTopicPolicy, everything works fine, however once uncommented I get:
SNSAddTopicPolicy - Invalid parameter: Policy Error: null (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID: 26870c3b-4829-5080-bd88-59e9524c08e4).
I have tried every single combination but can't get it to work, any help?
BucketAddEventInterfaceSNSTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: accounts-bucket-add-interface-dev
SNSAddTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: 'accounts-sns-add-policy-dev'
Version: 2012-10-17
Statement:
Sid: 'accounts-sns-add-statement-dev'
Effect: Allow
# this probably needs narrowed down
Principal:
AWS: '*'
Action: sns:Publish
Resource: { "Ref":"BucketAddEventInterfaceSNSTopic" }
Topics:
- { "Ref": "BucketAddEventInterfaceSNSTopic" }
It looks like you're mixing JSON and YAML syntax for the REF. Also, just to be safe you should put quotes around your version as shown below.
Your Policy should look more like this
SNSAddTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: 'accounts-sns-add-policy-dev'
Version: '2012-10-17'
Statement:
Sid: 'accounts-sns-add-statement-dev'
Effect: Allow
# this probably needs narrowed down
Principal:
AWS: '*'
Action: sns:Publish
Resource: !Ref BucketAddEventInterfaceSNSTopic
Topics:
- !Ref BucketAddEventInterfaceSNSTopic
I am trying to create an AWS KMS Key Policy and have been plagued trying to get Cloudformation to accept the key policy. Everything I have been able to find and read says this policy should be valid and the syntax is correct as it runs, but returns MalformedPolicyDocumentExceptionnull (Service: AWSKMS; Status Code: 400;
Has anyone else run into this, if so, any thoughts or suggestions on how I can resolve the errors? I've been stuck and banging my head on this one and can't see what I'm missing and my google-fu is failing me.
Code Snippet:
SnowflakeProdKMS:
Type: AWS::KMS::Key
Properties:
Description: KMS key used by Snowflake to encrypt/decrypt data stored in s3
Enabled: True
EnableKeyRotation: False
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- kms:*
Resource: '*'
- Sid: Enable AWSAdminRole to have full permissions to KMS key
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:/role/AWSAdminRole
Action: kms:*
Resource: '*'
- Sid: Allow use of the key by other roles
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:role/AWSAdminRole
# - !Sub arn:aws:iam::${AWS::AccountId}:role/SnowflakeAccessRole
Action:
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt
- kms:GenerateDataKey
- kms:DescribeKey
Resource: '*'
- Sid: Allow attachment of persistent resources
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:role/AWSAdminRole
# - !Sub arn:aws:iam::${AWS::AccountId}:role/SnowflakeAccessRole
- !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- kms:CreateGrant
- kms:ListGrants
- kms:RevokeGrant
Resource: '*'
Condition:
Bool:
- kms:GrantIsForAWSResource: 'true'
After much trial and error and reaching out to other partners I found the solution for the above issue.
The Condition on snippet above was incorrect and should have been formatted as follows:
Condition:
Bool:
"kms:GrantIsForAWSResource": true
Once changed to this the policy went in without issue.