MattG
Reputation: 6385
Why does this AWS CloudFormation script throw "Policy contains a statement with one or more invalid principals" error?
I am trying to:
- Create a CMK
- Create a new bucket that requires/enforces use of that CMK
Code is from here
AWSTemplateFormatVersion: 2010-09-09
Description: Example template with Customer Master Key and S3 bucket
Resources:
Bucket:
Type: "AWS::S3::Bucket"
DeletionPolicy: Retain
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${CMKAlias}"
SSEAlgorithm: "aws:kms"
CMKAlias:
Type: "AWS::KMS::Alias"
Properties:
AliasName: "alias/test/cmk"
TargetKeyId: !Ref CMK
CMK:
Type: "AWS::KMS::Key"
Properties:
Description: "My CMK"
Enabled: True
EnableKeyRotation: true
KeyPolicy:
Version: "2012-10-17"
Statement:
- Sid: "Allow root IAM"
Effect: "Allow"
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/root"
Action:
- "kms:*"
Resource: "*"
Outputs:
CMKId:
Value: !Ref CMK
CMKArn:
Value: !GetAtt CMK.Arn
CMKAliasArn:
Value: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${CMKAlias}"
Bucket:
Value: !Ref Bucket
The errors are:
The following resource(s) failed to create: [CMK]. . Rollback requested by user.
Policy contains a statement with one or more invalid principals.
(Service: AWSKMS; Status Code: 400;
Error Code: MalformedPolicyDocumentException;
Request ID: zzzzzz-zzzzz-zzzzz)
I believe the issue is with this line:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/root"
I see from intrinsic-function-reference-sub that !Sub is a function to replace values, and I see from pseudo-parameter-reference that ${AWS::AccountId} is a valid pseudo parameter, so I do not understand why that line is failing.
I see from how-to-generate-the-aws-root-account-arn-in-cloudformation that this is considered a valid way in YAML:
!Sub arn:aws:iam::${AWS::AccountId}:root
Upvotes: 2
Views: 3381
Answers (1)
MaiKaY
Reputation: 4482
Your indents are not correct.
Try it as the following:
KeyPolicy:
Version: "2012-10-17"
Statement:
- Sid: "Allow root IAM"
Effect: "Allow"
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/root"
Action:
- "kms:*"
Resource: "*"
Upvotes: 2
Related Questions
- Policy contains a statement with one or more invalid principals - AWS Cloudformation error
- Where exactly is the error in the CloudFormation template?
- CloudFormation S3 Bucket Policy invalid action error
- Invalid Resource and malformed policy errors - aws cloudformation YAML
- AWS Cloudformation Error: Policy has invalid resource
- What is the valid syntax for a KMS Key Policy to avoid MalformedPolicyDocument errors?
- What is the correct syntax for Cloudformation AWS::IAM::Policy for S3 full access
- Cloudformation Bucket Policy - "Statement is missing required element"
- aws cloudformation -resource property error
- Why won't CloudFormation execute my command?