Create a policy cloud formation - aws-sdk

Does anyone know how to create a policy using cloud formation and then have another cloud formation template that assigns that policy to a role?
I'm looking at http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html and that doesn't answer my question.


The link between a policy and a role is declared in the AWS::IAM::Policy resource. So, for instance, you can have one stack export the role and another stack import it using the intrinsic function Fn::ImportValue and link it to a policy resource.
Exporting stack:
Resources:
myRole:
Type: "AWS::IAM::Role"
Properties:
...
Outputs:
exportedRole:
Value: !Ref myRole
Export:
Name: "myExportedRole"
Importing stack:
Resources:
myPolicy:
Type: "AWS::IAM::Policy"
Properties:
Roles:
- !ImportValue myExportedRole
...


You can create the role and the policy at the same time. Here is an example:
"LambdaFunctionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "AlexaSkillCloudWatchLogsAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLogging",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"*"
]
}
]
}
}
]
}
}
This resource creates a policy for a Lambda function with a policy included. Then you can include the ARN of the role in a lambda function in the same template with "Fn::GetAtt"

Related

JSON Syntax Error: Fix the JSON syntax error while creating policy

I am following a tutorial in AWS and came across to create a policy. But I am getting a json error. It doesn't tell me much and not sure how to fix it.
I tried to paste it in the VS code to get the idea but vs code is complaining about Invalid escape character in string.json(261)

You are missing the " at cloudformation
it should be
"Action": [
"cloudformation:*",
"iam\;PassRole"
]

Resolved
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:*",
"iam:PassRole"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:Get*",
"s3:Put*",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::artifact-bucket-{DEV_ACCOUNT_ID}",
"arn:aws:s3:::artifact-bucket-{DEV_ACCOUNT_ID}/*"
],
"Effect": "Allow"
},
{
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": "{KEY_ARN}",
"Effect": "Allow"
}
]
}
Found this here https://github.com/aws-samples/aws-cross-account-cicd-pipeline

how to give json content inside a yaml file - serverless

I have been trying to add a json policy inside a yaml file but unsuccessful so far
custom:
deploymentBucket:
versioning: true
policy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::deeperion-deployment-bucket",
"arn:aws:s3:::deeperion-deployment-bucket/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
below serverless framework plugin allows you to add bucket policy to the deployment bucket
https://www.serverless.com/plugins/serverless-deployment-bucket

How to define AWS IAM attribute-based access control in terraform

I am defining attribute-based access control (ABAC) for AWS IAM within my terraform file. Sample policy is
resource "aws_iam_role_policy" "testS3" {
name = "testS3"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::dev-${aws:PrincipalTag/team}*"
}
]
}
EOF
}
How do I call that ${block} within terraform? Terraform translates that into its own variables.

It worked with extra $ in the string.
resource "aws_iam_role_policy" "testS3" {
name = "testS3"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::dev-$${aws:PrincipalTag/team}*"
}
]
}
EOF
}
I also tried with variables.tf file and referenced the variable here in json.
variables.tf
variable "principaltag" {
default = "$${aws:PrincipalTag/tedteam}"
}
****
policy.tf
resource "aws_iam_role_policy" "testS3" {
name = "testS3"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::dev-${var.principaltag}*"
}
]
}
EOF
}

Can I use PrincipalTag in resource arn within AWS IAM policy to authorize a team?

I have s3 buckets named as per team names. For example the below policy works if I want to provide Get, List permissions by using a PrincipalTag in Condition operator. But I'll have to define similar policy by changing the S3 arn for every team.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "*"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::companyName-TeamName*",
"arn:aws:s3:::companyName-TeamName*/*"
],
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/teamname": "${aws:PrincipalTag/teamname}"
}
}
}
]
}
What if I want to define the resource arn using the PrincipalTag like below
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "*"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::companyName-${aws:PrincipalTag/teamname}*",
"arn:aws:s3:::companyName-${aws:PrincipalTag/teamname}*/*"
],
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/teamname": "${aws:PrincipalTag/teamname}"
}
}
}
]
}
All teams assumes their roles which has a tag 'teamname':'Their Team Name'
Can I define a policy like this? This will reduce the redundancy of policies. I do not want to define all the S3 arns in the resource section, it will be long list of teams and their buckets.

Can I pass JSON policy file as parameter value to s3bucket policy

Wondering if it's possible to have a policy defined in a .json file generated by the AWS policy generator and have that file passed into the cloudformation s3bucket policy as a parametervalue.
So the policy.json file looks something like the following:
{
"Id": "Policyid",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmtid",
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<bucket name>",
"Principal": {
"AWS": [
"<user>"
]
}
}
]
}
Now I want to call with something like this
aws cloudformation create-stack --stack-name mystack --template-body file:///mystackcreation.json --parameter ParameterKey=PolicyDocument,ParameterValue=policy.json
Where mystackcreation.json is a test file which looks like
{
"Parameters": {
"PolicyDocument": {
"Type": "String",
"Description": ""
}
},
"Resources" : {
"S3BucketPolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"Bucket" : mybucket,
"PolicyDocument" : { "Ref" : "PolicyDocument" }
}
}
}
}