Menu
All,
I am creating a CloudFormation template. I would like to conditionally add an IAM policy only if the template is being run in the root organization's master account.
I searched around but wasn't able to find an example.
This is what I am doing now. I am just asking if the template should include the policy during creation.
"Parameters": {
"IncludeOrganizationPolicy": {
"Description": "Only set to true for the root org",
"Type": "String",
"Default": "false",
"AllowedValues": [
"true",
"false"
]
},
}
Ideally, I'd like to do this without having to ask for an input parameter. Something like shown below, but where AWS::AccountId is the master root account.
"Conditions": {
"CreateSPOrganizationPolicy": {
"Fn::Equals": [
{
"Ref": "AWS::AccountId"
},
"<the root account id>"
]
}
}
Also, I am unable to hard-code the root account id. These scripts are going to be given to customers to run in their AWS environment.
Thanks!
Pink
728
asked Sep 03 '25 02:09
This doesn't answer the question, but this question came up on a related search so I thought I'd post what I did.
I wanted to a condition to be true for a single AWS account, so I could create a resource in a single account only. I didn't want to have to use a parameter as I already have a bunch and then I'd have to run the stackset / template again.
Here's the condition that worked
Conditions:
Account123Only: !Equals [ !Ref AWS::AccountId, "123123123123"]
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
