Jorge Ivansevick
Reputation: 153
IAM Role Conditions in AWS CDK Python
I am creating a new IAM Role custom policy, but it do a rollback with the reason: MalformedPolicyDocument
myrole = iam.Role(self,config['CUSTOM_POLICY']['ROLE'],
assumed_by=iam.ServicePrincipal('ec2.amazonaws.com'),
role_name=config['CUSTOM_POLICY']['NAME']
)
myrole.add_to_policy(
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
resources=['arn:aws:s3:::MyBucket/*'],
actions=[
's3:CreateBucket',
's3:GetObject',
's3:ListBucket',
's3:PutObject'
],
conditions=[
{
'aws:SourceIp':'192.10.10.10/32'
}
]
)
)
If I delete the conditions it works, what is the correct syntax considering conditionals?
Upvotes: 3
Views: 8946
Answers (2)
Amer Elhabbash
Reputation: 520
The accepted answer did not work for me, this is how it worked for python
iam.PolicyStatement(sid="AllowSendCommand",
effect=iam.Effect.ALLOW,
actions=["ssm:SendCommand"],
resources=["arn:aws:ec2:" + Aws.REGION + ":" + Aws.ACCOUNT_ID + ":instance/*",
"arn:aws:ssm:" + Aws.REGION + "::document/AWS-RunPowerShellScript"],
conditions={"StringEquals":
{"aws:ResourceTag/Name": [bastion_host_stack_name + "/BastionHostLaunchTemplate"]}})
Upvotes: 5
maafk
Reputation: 6876
It looks like you're leaving out the condition operator. Are you looking for something like:
conditions=[
{
"NotIpAddress": {
"aws:SourceIp": ["192.10.10.10/32"]
}
}
]
Upvotes: 5
Related Questions
- How to attach a managed policy to a an IAM role using the CDK
- AWS CDK - Create role conditionally in Lambda Function
- AWS CDK How to include principals in IAM policy?
- Creating an MFA-protected role with AWS CDK bypasses MFA condition
- Assuming an IAM role in python, how to do this?
- AWS CDK IAM Federated and User IamRoleAccess?
- How to list available policies for an assumed AWS IAM role
- IAM Role Association to the available AWS EC2 instance
- Specifying IAM roles for permissions in AWS S3
- assume IAM roles using user name and password