I have defined an IAM policy for Dynamodb cloud formation template as shown below, and I am getting the following error:
Value of property Users must be of type List of String
Any ideas what am I doing wrong?
myDynamoPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
Sid: AllAPIActionsOnBooks
Effect: Allow
Action: dynamodb:*
Resource:
Ref: myDynamoDBTable
PolicyName: DynamoDBOwnerPolicy
Users:
Ref: IAMUsers
Per AWS documentation, the Users property must be an array. It should look like this:
myDynamoPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
Sid: AllAPIActionsOnBooks
Effect: Allow
Action: dynamodb:*
Resource:
Ref: myDynamoDBTable
PolicyName: DynamoDBOwnerPolicy
Users:
-
Ref: "IAMUsers"
CloudFormation template reference can be found here.
Related
I want to create an IAM role with a read-only policy (arn:aws:iam::aws:policy/ReadOnlyAccess).
In order to prevent access to all objects on all buckets, I added a Deny section in Cloudformation template:
ReadOnlyAccessRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: read-only-role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Ref AwsAccount
Action: sts:AssumeRole
- Effect: Deny
Sid: DenyS3GetObject
Action: s3:GetObject
Resource: "arn:aws:s3:::/*"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/ReadOnlyAccess"
I get a "MalformedPolicyDocument" error in the Deny section (Resource).
I already tested these options :
Resource: "*"
Resource: "arn:aws:s3:::/*"
Resource: "arn:aws:s3:::prefix-bucket*"
Do you have any idea about this syntax error ?
EDIT :
Error from Cloudformation :
Blockquote Has prohibited field Resource (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: ......; Proxy: null)
enter code here
You seem to be missing the Policies section.
Try something like this:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
MyTestRole:
Type: AWS::IAM::Role
Properties:
RoleName: read-only-role
AssumeRolePolicyDocument:
Version: "2012-10-17"
- Effect: Allow
Principal:
AWS: !Ref AwsAccount
Action: sts:AssumeRole
Policies:
- PolicyName: EmbeddedInlinePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Deny
Action: s3:GetObject
Resource: '*'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/ReadOnlyAccess
If defining a SSM parameter in cloud formation one template like this
KinesisStreamARNParameter:
Type: AWS::SSM::Parameter
Properties:
Name: !Sub "/${Environment}/Services/${Domain}/kinesis_stream_arn"
Type: String
Value: !GetAtt KinesisStream.Arn
How would I use in a different template file that defines a role? How would I refer to it under resources for the policy?
KinesisFirehoseRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: firehose.amazonaws.com
Action: sts:AssumeRole
Path: /
Policies:
- PolicyName: KinesisFirehosePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- kinesis:*
- s3:*
- s3-object-lambda:*
Resource:
- !Sub "${Bucket.Arn}/*"
Generally there are two choices:
Export the arn of your KinesisStreamARNParameter in the outputs. Then use ImportValue to reference it your second template.
Pass the arn as an input parameter to your second template. This will require you to manually provide the value when you deploy the second template, or create some automation wrapper that will populate that value for you before deployment.
In AWS cloud formation template how to create a new lambda(test_lambda_role) role
which is having access to s3:getObject, RDS access(rds-db:connect),
Resources:
Role:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub test_lambda_role
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Lambda:
- !Sub "arn:aws:iam::${AWS::AccountId}:saml-provider/${pSamlProviderAdmin}"
Action:
- rds-db:connect
Lambda function not creating with above template
AssumeRolePolicyDocument is for a trust policy, as explained in:
Creating a role to delegate permissions to an AWS service
Thus a template with only a lambda execution role could be:
AWSTemplateFormatVersion: 2010-09-09
Parameters:
testlambdarole:
Type: String
Default: role-name
Resources:
Role:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref testlambdarole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: {'Service': ['lambda.amazonaws.com']}
Action: ['sts:AssumeRole']
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSLambdaExecute
Policies:
- PolicyName: S3Access
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- s3:getObject
Resource: "*"
- PolicyName: RdsAccess
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- rds-db:connect
Resource: "*"
You would need to adjust Policies to exactly what you require.
I'm using an IAM role for a glue job that makes some data processing, to accomplish this task I need to assume the role that executes the glue role.
As example, in the following cloudformation template the IAM::Policy has permission to query from a Dynamo DB table and to get Objects from an s3 bucket.
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Resources:
GlueAccessPolicy:
Type: AWS::IAM::Policy
Properties:
Roles:
- !Ref GlueRole
PolicyName: glue_access_policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: 's3:getObject'
Resource:
- 's3_bucket_arn'
- Effect: Allow
Action:
- 'dynamodb:DescribeTable'
- 'dynamodb:Query'
Resource:
- 'dynamo_table_arn'
GlueRole:
Type: 'AWS::IAM::Role'
Properties:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: 'Allow'
Principal:
Service:
- 'glue.amazonaws.com'
Action:
- 'sts:AssumeRole'
Now, this question illustrates an example to assume role B from role A, switching roles.
So, I have the question if is it possible or valid for GlueRole to assume GlueRole ?
As there is no limitation for the role to assume itself, and the docs state the following
A policy that grants a user permission to assume a role must include a statement with the Allow effect on the following:
The sts:AssumeRole action
The Amazon Resource Name (ARN) of the role in a Resource element
it is straightforward to add this policy to the AWS::IAM::Policy resource on the CloudFormation template.
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Resources:
GlueAccessPolicy:
Type: AWS::IAM::Policy
Properties:
Roles:
- !Ref GlueRole
PolicyName: glue_access_policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: 'sts:AssumeRole'
Resource: !GetAtt GlueRole.Arn
GlueRole:
Type: 'AWS::IAM::Role'
Properties:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: 'Allow'
Principal:
Service:
- 'glue.amazonaws.com'
Action:
- 'sts:AssumeRole'
I was looking at the Condition Function Fn::If: to create or provision a resource only if a condition is evaluated to true. In my case, created a policy if the environment is prod.
Parameters:
Env:
Description: Environment
Type: String
Conditions:
IsProd: !Equals [!Ref Env, 'prod']
I know how to do it for a property, but not for the entire resource block.
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: '*'
Resource: '*'
Roles:
- !Ref RootRole
Is this something possible?
You can do it using Condition: resource attribute. For example:
Resources:
MyIAMPolicy:
Condition: IsProd
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: '*'
Resource: '*'
Roles:
- !Ref RootRole
More on this can be found here:
Conditionally launch AWS CloudFormation resources based on user input