Menu
I have a list of ARNs from numerous accounts in a configuration file that I then build into an S3 bucket policy. But if one of these ARNs is invalid, say arn:aws:iam::12345679012:user/foo-bar, then I will get the following exception when trying to apply a policy that includes that ARN:
lib/aws/core/client.rb:375:in `return_or_raise': Invalid principal in policy (AWS::S3::Errors::MalformedPolicy)
It seems like this could cause problems should any of the ARNs in my file get deleted. Then, I can't append to the existing policy. I'd have to find out which ARN is the "poison pill" and delete it. But the exception message doesn't give that information to me.
Questions:
225
Your question doesn't specify ruby, so I will show you how I handled this (poorly, I suspect) with the Python Boto3 library.
While trying to update an assumerole policy with a number of ARNs, one or more are invalid. Here is the boto call which produces an error:
try:
iamClient.update_assume_role_policy(RoleName=curated_role_name, PolicyDocument=json.dumps(assume_role_policy_document))
except botocore.exceptions.ClientError as e:
print (e.response['Error']['Message'])
The results from the above code snippet is:
Invalid principal in policy: "AWS":"arn:aws:iam::42xxxxx:user/idontexist"
I then do a simple RE to extract the bad ARN and then attempt to re-apply my update. If there are still bad ARNs in the list, then I get the next one in the list and remove that. This recurses until the policy is accepted.
I was searching for exactly the same thing you were - an "ARN Validator". I didn't find it, so I had to handle it myself. I thought about checking all the ARNs involved in a separate function, but since it's rare I run into the issue, I didn't want to incur the overhead.
I hope you may find some of this helpful.
Dave O
173
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
