DineshNS
Reputation: 3670
Using AWS::Region in Policy Resources
I am trying to dynamically change the s3 resource name based on current cloud formation stack region. Cloudformation stack updates without any error. Am I doing something wrong? I am expecting to have a policy with {AWS::Region} resolved to us-east-1.
Version: 2012-10-17
Statement:
- Sid: RestrictS3Access
Effect: Allow
Action:
- 's3:GetObject'
Resource:
- !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${cognito-identity.amazonaws.com:sub}"
- !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${cognito-identity.amazonaws.com:sub}/*"
I am expecting to see the policy as follows. I am checking results from aws console.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::dnsa-us-east-1/${cognito-identity.amazonaws.com:sub}",
"arn:aws:s3:::dnsa-us-east-1/${cognito-identity.amazonaws.com:sub}/*"
],
"Effect": "Allow",
"Sid": "RestrictS3Access"
}
Upvotes: 0
Views: 247
Answers (1)
kichik
Reputation: 34704
If you want ${cognito-identity.amazonaws.com:sub} to remain unchanged, you need to escape it with ${!}.
Version: 2012-10-17
Statement:
- Sid: RestrictS3Access
Effect: Allow
Action:
- 's3:GetObject'
Resource:
- !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${!cognito-identity.amazonaws.com:sub}"
- !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${!cognito-identity.amazonaws.com:sub}/*"
Upvotes: 0
Related Questions
- CloudFormation Cross-Region Reference
- AWS Cloudformation IAM Policy with Resource
- AWS Region issue while deploying cloudformation template
- How to access cross region resources in Cloudformation
- How can I instruct an AWS CloudFormation template to create resources in a specific region?
- Cloudformation Macro to use Cross Region Lambda
- How to implement region specific configuration for AWS CloudFormation stack and resources
- Cloudformation - Create resources in different regions
- Create CloudFormation resources in different region
- AWS Cloudformation Template - Set Region in S3 Bucket