CODEWITHSUNDEEP
jsonamazon-iamaws-cli
Subham Tripathi
Subham Tripathi

Reputation: 2733

Error using put-group-policy with cli-input-json

i am trying to create a policy for group by using cli-input-json providing json as input to the cli command. The command is 

aws iam put-group-policy --cli-input-json file://D:\\json\\demo\\json
grpPolicy_testpolicy1.json

which gives following error

A client error (MalformedPolicyDocument) occurred when calling the PutGroupPolicy operation: The policy is not in the valid JSON format.

The content of json file at D:\json\demo\json grpPolicy_testpolicy1.json is

{
    "GroupName": "testgroup11",
    "PolicyName": "testpolicy11",
    "PolicyDocument": "file://D:\\json\\policypermission.txt"
}

The content of policy document file at D:\json\ policypermission.txt is

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "uploadandgetfromS3",
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:CreateObject",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:PutBucketAcl",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "rds:DescribeDBLogFiles",
                "rds:DownloadDbLogFilePortion"
            ],
            "Resource": "*"
        }
    ]
}

i have verified all the json files for the validity of json, still aws cli says that the policy document is malformed. i have also created and attached the above said policy by using normal cli command to confirm the validity of the policy document and that has worked fine.

Upvotes: 0

Views: 1444

Answers (1)

Steffen Opel
Steffen Opel

Reputation: 64731

{
    "GroupName": "testgroup11",
    "PolicyName": "testpolicy11",
    "PolicyDocument": "file://D:\\json\\policypermission.txt"
}

While this would make sense conceptually, I think the AWS Command Line Interface (AWS CLI) doesn't support inline/nested references to URLs like file:// here, rather only as a command line argument, e.g.:

aws iam put-group-policy --cli-input-json file://D:\\json\\demo\\json \
  grpPolicy_testpolicy1.json --policy-document file://D:\\json\\policypermission.txt

This works, because command line arguments take precedence over those specified as CLI Input JSON Parameters. However, once you do not specify the overriding --policy-document, the JSON parser trips over the inline PolicyDocument element, where it expects an inline JSON object but encounters the URL file://D:\\json\\policypermission.txt instead.

Upvotes: 2

Related Questions