aws cli simulate-custom-policy newbie, basic s3 call

Question

Am exploring the aws simulate-custom-policy.

Getting an invalid input on Policy Input List.

Error is

An error occurred (InvalidInput) when calling the SimulateCustomPolicy operation: Policy input list item 1 has invalid content

Command is

aws --profile dev-insecure iam simulate-custom-policy \
 --resource-policy file://resourcePolicy.json \
 --policy-input-list file://iamPolicy.json \
 --resource-arns arn:aws:s3:::mybucket-publiclyvisible/* \
 --action-names s3:GetObject \
 --caller-arn arn:aws:iam::<my account number>:user/jc

the iamPolicy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

Answer 1

Steffen Opel is right, but i offer pass json as one string via cat comand

aws iam simulate-principal-policy \
  --policy-source-arn arn:aws:iam::010999287103:user/lolkek \
  --action-names iam:GetAccountEmailAddress \
  --policy-input-list "$(cat iam_read_only.json)" 

Answer 2

That's easy to run into I'm afraid (took me a while to figure it out):

The AWS CLI parameter --policy-input-list of the aws . iam . simulate-custom-policy action expects an array of JSON strings:

A list of policy documents to include in the simulation. Each document is specified as a string containing the complete, valid JSON text of an IAM policy. [...]

This means the iamPolicy.json file content needs to be a) an array, and b) the JSON policies need to be escaped, as follows:

[
  "{  \"Version\": \"2012-10-17\",  \"Statement\": [  {  \"Action\": [  \"*\"  ],  \"Resource\": [  \"*\"  ],  \"Effect\": \"Allow\"  }  ]}"
]