Menu
I have the following role. From within it I want to use an existing managed policy from another stack.
How can I do so?
"TestRole": {
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
}
}
],
"Version": "2012-10-17"
},
"Path": "/lambda/",
"Policies": [
??????
]
},
"Type": "AWS::IAM::Role"
}
653
Note: To reference a resource in another AWS CloudFormation stack, you must create cross-stack references. To create a cross-stack reference, use the export field to flag the value of a resource output for export.
Cross-stack references let you use a layered or service-oriented architecture. Instead of including all resources in a single stack, you create related AWS resources in separate stacks; then you can refer to required resource outputs from other stacks.
There's now a supported way to do this, using Imports/Exports. Basically, the stack that creates the policy has an output that contains the policy name (or ARN, not sure which is needed in this case), and declares it as an export with a regionally-unique name. Then, other stacks can consume it using the Import function.
For example, if the following stack (let's say it's named FooStack) creates the managed policy, it can have the following in its output:
"Outputs" : {
"MyManagedPolicy" : {
"Value" : { "Ref" : "MyManagedPolicy" },
"Export" : { "Name" : {"Fn::Sub": "${AWS::StackName}-MyManagedPolicy" }}
}
}
The other stack can use it:
"Policies": [
{ "Fn::ImportValue" : "FooStack-MyManagedPolicy" }
]
If your requirement is a stand-alone sharable policy. then you need to make it as ManagedPolicy and not a standard Policy.
An Example:
MyManagedPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Path: "/"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "s3:*"
Resource:
- Fn::GetAtt: MyBucket.Arn
Export it:
MyManagedPolicy:
Description: MyManagedPolicy
Value:
Ref: MyManagedPolicy
Export:
Name:
Fn::Join:
- "-"
- - "MyManagedPolicy"
- Ref: StackName
Then in your other stack where you want to import this stand-alone managed policy in one of your roles, do this:
MyUserRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: "SomeName"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
AWS:
- .....
Action:
- .....
Path: "/"
ManagedPolicyArns:
- Fn::ImportValue:
Fn::Sub: "MyManagedPolicy-${StackName}"
Policies:
- PolicyName: "NameOfYouInlinePolicyWithoutSpaces"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- .....
Resource:
- .....
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
