CODEWITHSUNDEEP
amazon-web-servicesaws-cloudformationamazon-iam
Glyn Jackson
Glyn Jackson

Reputation: 8354

Cloud formation policy generation incorrect

Cloud formation doesn't generate my policy as described in the template.

I want to create/recreate this exact policy in my role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cloudWatch:ListDashboards"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "cloudwatch:GetDashboard",
            "Resource": "arn:aws:cloudwatch::xxxx:dashboard/test"
        }
    ]
}

This is my cloud formation template (see policy):

  CustomResourceRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
              - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName:
            !Sub
              - Cloudwatch${PolicyCustomName}DashboardAccessPolicy
              - { PolicyCustomName: !Ref Tenant }
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: [
                "cloudWatch:ListDashboards"
            ]
                Resource: '*'
                Action: 'cloudwatch:GetDashboard'
                Resource: 'arn:aws:cloudwatch::xxxx:dashboard/Test'
  RootInstanceProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Path: /
      Roles:
        - !Ref CustomResourceRole

However, this doesn't generate the desired policy. I get the following ouput missing the first part of my desired policy, why?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "cloudwatch:GetDashboard",
            "Resource": "arn:aws:cloudwatch::xxxx:dashboard/Test",
            "Effect": "Allow"
        }
    ]
}

Upvotes: 0

Views: 55

Answers (1)

BAD_SEED
BAD_SEED

Reputation: 5056

You provided two Action for the same Statement, and Cloud Formation engine used the latter, overwriting cloudWatch:ListDashboards.

Since Statement is a list, you can write the two statements:

  CustomResourceRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
              - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName:
            !Sub
              - Cloudwatch${PolicyCustomName}DashboardAccessPolicy
              - { PolicyCustomName: !Ref Tenant }
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: "cloudWatch:ListDashboards"
                Resource: '*'
              - Effect: Allow
                Action: 'cloudwatch:GetDashboard'
                Resource: 'arn:aws:cloudwatch::xxxx:dashboard/Test'
  RootInstanceProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Path: /
      Roles:
        - !Ref CustomResourceRole

Upvotes: 2

Related Questions