Reputation: 12545
AWS cfn-lint expects * when Fn::Sub is resolved for Principal
When upgrading cfn-lint, I got a new type of warning that took me some time to understand. The error message was:
W1031 '*' was expected when 'Fn::Sub' is resolved
The linting was for a AWS::S3::BucketPolicy
- Sid: AllowAthenaAndQuickSight
Effect: Allow
Principal: !Sub 'arn:aws:iam::${AWS::AccountId}:role/service-role/aws-quicksight-service-role-v0'
Action:
- s3:ListBucket
- s3:GetObject
Resource:
- Fn::Sub: 'arn:aws:s3:::${SOURCE_BUCKET_NAME}'
- Fn::Sub: 'arn:aws:s3:::${SOURCE_BUCKET_NAME}/*'
Upvotes: 1
Views: 94
Answers (1)
Reputation: 12545
A valid statement would be Principal: '*' but that would affect security in a negative way. This is however the message from the cfn-linter.
The right solution is that Principal field must also specify the type of principal, if for example AWS, Service, Federated etc. The different types of Principals are documented in the reference for Policies Elements.
The correct syntax in this example (with an AWS Role as Principal) would be:
Principal:
{
'AWS': !Sub 'arn:aws:iam::${AWS::AccountId}:role/service-role/aws-quicksight-service-role-v0',
}
A better error message would perhaps have been:
W1031 '*' or a valid Principal JSON object was expected when 'Fn::Sub' is resolved
Upvotes: 0
Related Questions
- How to Give Amazon SES Permission to Write to Your Amazon S3 Bucket
- AWS S3 Server side encryption Access denied error
- Amazon S3 buckets inside master account not getting listed in member accounts
- Overwrite the permissions of the S3 object files not owned by the bucket owner
- Restrict access to S3 static website that uses API Gateway as a proxy
- How can I recover from Access Denied Error on AWS S3?