Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Cannot create only IAM policy with cloudformation

I am having issue with creating IAM policy in cloudformation.But when I run it I get the error that Groups,Roles,Users is required:

Here is my code:

{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "AWS CloudFormation Template IAM Groups and Policies",
"Resources": {
    "PolicyAutoScalingLimitedOperation": {
        "Type": "AWS::IAM::Policy",
        "Properties": {
            "PolicyName": "AutoScaling-Limited-Operation",
            "PolicyDocument": {
                "Statement": [{
                        "Effect": "Allow",
                        "Action": [
                            "dynamodb:*"
                        ],
                        "Resource": "*"
                    },
                    {
                        "Effect": "Allow",
                        "Action": [
                            "cloudwatch:PutMetricData"
                        ],
                        "Resource": "*"
                    },
                    {
                        "Effect": "Allow",
                        "Action": [
                            "xray:PutTraceSegments",
                            "xray:PutTelemetryRecords"
                        ],
                        "Resource": "*"
                    },
                    {
                        "Effect": "Allow",
                        "Action": [
                            "s3:Get*",
                            "s3:List*",
                            "s3:PutObject"
                        ],
                        "Resource": "*"
                    },
                    {
                        "Effect": "Allow",
                        "Action": [
                            "logs:PutLogEvents",
                            "logs:CreateLogStream"
                        ],
                        "Resource": "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
                    },
                    {
                        "Effect": "Allow",
                        "Action": [
                            "kms:ListAliases",
                            "kms:ListKeys",
                            "kms:Encrypt",
                            "kms:Decrypt"
                        ],
                        "Resource": "*"
                    }
                ]
            }
        }
    }
}

}

Now when I run it I get:

At least one of [Groups,Roles,Users] must be non-empty.

Does that mean I cannot create policy with cloudformation without adding user/role to it?

like image 895
Hamed Minaee Avatar asked Sep 19 '17 22:09

Hamed Minaee


People also ask

What permissions are needed for CloudFormation?

AWS CloudFormation actions The policy grants permissions to all DescribeStack API actions listed in the Action element. If you don't specify a stack name or ID in your statement, you must also grant the permission to use all resources for the action using the * wildcard for the Resource element.

What happens when CloudFormation stack creation fails?

If stack creation fails, go to the CloudFormation Resources list in the AWS Management Console to find the log group. Note that if stack creation fails before any instances are launched, a log group might not be created. By default, AWS deletes CloudWatch log groups if stack creation fails.


2 Answers

You probably want to create an AWS::IAM::ManagedPolicy if you just want a standalone policy.

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html

like image 197
Laurent Jalbert Simard Avatar answered Sep 30 '22 04:09

Laurent Jalbert Simard


From the documentation:

AWS::IAM::ManagedPolicy creates an AWS Identity and Access Management (IAM) managed policy for your AWS account, which you can use to apply permissions to IAM users, groups, and roles.

Here's an example:

Resources:   CreateTestDBPolicy:      Type: AWS::IAM::ManagedPolicy     Properties:        Description: "Policy for creating a test database"       Path: "/"       PolicyDocument:        Version: "2012-10-17"       Statement:          -            Effect: "Allow"           Action: "rds:CreateDBInstance"           Resource: "*" 

This will resolve your issue.

like image 30
captainblack Avatar answered Sep 30 '22 04:09

captainblack