Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to reference a resource ARN in a cloudformation policy document ? (yaml)

Tags:

yaml

amazon-web-services

amazon-iam

amazon-cloudformation

I am trying to define a trust relationship policy document between a role and a user in cloudformation (yaml).

For specifying the ARN of the user in the role's AssumeRolePolicyDocument, I want to reference the ARN from the actual cloudformation resource, instead of having to construct the ARN string.

But, it doesn't work. When I use !Ref rUser, I get an error when creating the cloudformation stack "invalid principal in policy".

When I just paste the ARN string as the value, it works. Is it because !Ref rUser returns a user object type and does not evaluate to a string? If so, how can I reference the ARN from the resource?

Code:

  rUser:
    Type: "AWS::IAM::User"
    Properties:
      UserName: "my_user"

  rRole:
    DependsOn: rRole
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "my_role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Principal:
              AWS:
                # this does not work, gives error "Invalid Principal in policy"
                - !Ref rUser
                # this does work (just hard coding the ARN string):
                # - "arn:aws:iam::111111111111:user/my_user"
            Action:
              - "sts:AssumeRole"
like image 281
James Wierzba Avatar asked Nov 28 '19 22:11

James Wierzba

People also ask

How do I refer to a resource in another AWS CloudFormation stack during template creation?

Note: To reference a resource in another AWS CloudFormation stack, you must create cross-stack references. To create a cross-stack reference, use the export field to flag the value of a resource output for export.

How do I get an Arn of resources?

In order to get the Arn of a resource we have to use the resource-specific resourceNameArn property, for example: bucketArn for an S3 bucket, instantiated via the Bucket construct. tableArn for a Dynamodb table instantiated via the Table construct. functionArn for a Lambda function instantiated via the Function ...

What can the ref identifier in a cloud formation template file be used to reference?

You can use the Ref function to refer to an identifying property of a resource. Frequently, this is the physical name of the resource; however, sometimes it can be an identifier, such as the IP address for an AWS::EC2::EIP resource or an Amazon Resource Name (ARN) for an Amazon SNS topic.

1 Answers

Just figured it out ... quite simple using the GetAtt function:

  rRole:
    DependsOn: rRole
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "my_role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Principal:
              AWS:
                - !GetAtt rExternalUser.Arn  # use the GetAtt function
            Action:
              - "sts:AssumeRole"
like image 124
James Wierzba Avatar answered Sep 28 '22 00:09

James Wierzba
Sign in to Comment

Related questions

AWS Appsync $ctx vs $context in resolvers
How to move an AWS subnet into a different availability zone?
How to get logical ID of resource with CDK?
AWS VPN using federated login with Google IdP - app_not_configured_for_user
aws_acm_certificate seems to have changed its state output possibly due to a provider update- am I doing this wrong?
When will AWS lambda support python 3.9?
Could not connect to SMTP host: email-smtp.us-east-1.amazonaws.com, port: 465, response: -1
Parallel batch file download from Amazon S3 using AWS S3 SDK for .NET
Static assets don't show up for flask on elastic beanstalk
Setting up the EB CLI - error nonetype get_frozen_credentials
Change platform on Elastic Beanstalk from PHP to Node.js
Empty folders in AWS S3
AWS Lambda Serverless deploy asking for AWS provider credentials
how to upload files to s3 from aws cli with kms encryption
Force Discard AWS Lambda Container
Folder won't delete on Amazon S3
Deploying Django to AWS - WSGIPath refers to a file that does not exist
AWS Elastic Beanstalk - ERROR: No Application Version named 'v0_9_2-76-gf5a4' found
Why does a AWS NAT Gateway require an ElasticIP?
ImageMagick not converting pdfs anymore in AWS Lambda

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!