Menu
I'm trying to use the following yaml to create an S3 Bucket Policy in CloudFormation:
cloudTrailBucketPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket:
Ref: cloudtrailBucket
PolicyDocument:
-
Action:
- "s3:GetBucketAcl"
Effect: Allow
Resource:
Fn::Join:
- ""
-
- "arn:aws:s3:::"
-
Ref: cloudtrailBucket
- "/*"
Principal: "*"
-
Action:
- "s3:PutObject"
Effect: Allow
Resource:
Fn::Join:
- ""
-
- "arn:aws:s3:::"
-
Ref: cloudtrailBucket
- "/*"
Principal:
Service: cloudtrail.amazonaws.com
When I try to do this, I get a message that "Value of property PolicyDocument must be an object"
Anyone have any ideas?
404
You can use the CloudFormation template in the following resolution to use custom resources with an S3 bucket. Consider the following: The template allows you to create folders in S3 buckets. Amazon S3 has a flat structure, but supports the folder concept as a means of grouping objects.
If you specify a template file stored locally, CloudFormation uploads it to an S3 bucket in your AWS account. CloudFormation creates a bucket for each region in which you upload a template file. The buckets are accessible to anyone with Amazon Simple Storage Service (Amazon S3) permissions in your AWS account.
If it isn't, CloudFormation checks if the template is valid YAML. If both checks fail, CloudFormation returns a template validation error. You can validate templates locally by using the --template-body parameter, or remotely with the --template-url parameter.
When you create a bucket policy using CloudFormation, CloudFormation uder the hood calls PutBucketPolicy API. So, the calling identity (user/role) must have s3:PutBucketPolicy permission on the bucket otherwise Amazon S3 returns a 403 Access Denied error. Let’s get back to track and start creating a bucket policy using CloudFormation
Template error: YAML aliases are not allowed in CloudFormation templates ”. A workaround for this can be found by using the command-line, using the CloudFormation package command, forcing a conversion to JSON format, thereby resolving all Anchors and Aliases: The processing of YAML into JSON is not AWS specific.
The error is caused because the CloudFormation template validator sees the bucket resource as a section-level specification, which isn't allowed as a template property. { "Resources": { "WaitCondition": { "Type": "AWS::CloudFormation::WaitCondition" } }, "Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "Name": "BucketName" } } }
This returns the following error: "Template validation error: Invalid template property or properties [Bucket]." The error is caused because the CloudFormation template validator sees the bucket resource as a section-level specification, which isn't allowed as a template property.
Looks like you solved the issue, but for readability you can compress your formatting by using !Sub and knowing that action allows single values as well as list. One of the main reasons I like yaml is that you use less vertical.
PolicyDocument:
-
Action: "s3:GetBucketAcl"
Effect: Allow
Resource: !Sub arn:aws:s3:::${cloudtrailBucket}
Principal: "*"
-
Action: "s3:PutObject"
Effect: Allow
Resource: !Sub arn:aws:s3:::${cloudtrailBucket}/*
Principal:
Service: cloudtrail.amazonaws.com
67
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
