Attach policy to a IAM Role

amazon-web-services amazon-sqs amazon-cloudformation amazon-iam

14,835

Solution 1

First, Line 9 contains a JSON syntax error, the brackets {} around your Role string should be removed:

        "Roles": [ "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role" ],

Second, AWS::IAM::Policy's Roles property accepts "The names of AWS::IAM::Roles to attach to this policy", not full ARNs, so your line should be:

        "Roles": [ "Cognito_CFIAuth_Role" ],

You also need a missing closing bracket } at the end of your example.

Solution 2

With the AWS::IAM::Policy resource, you're creating an inline policy. http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html explains that this takes a list of "The names of AWS::IAM::Roles, which I take to be the logical name of role resources defined within the same stack.

If you want to attach the policy to a preexisting role, you should use the ManagedPolicy type instead. http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-roles takes the name of the preexisting role(s).

14,835

Author by

Aman Khanna

Updated on June 04, 2022

Comments

Aman Khanna almost 2 years

Following cloudformation template gives error on line 9 :

{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Policy to allow send receive message from SQS Queue",
"Resources" : {
"MyPolicy" : {
  "Type" : "AWS::IAM::Policy",
    "Properties" : {
        "PolicyName" : "CFUsers",
        "Roles": [ { "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role" } ],
        "PolicyDocument" : {
            "Version" : "2012-10-17",
            "Statement": [
            {
                "Sid": "Sid1482400105445",
                "Effect": "Allow",
                "Principal": {
                    "AWS":         "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role"
                },
                "Action": [
                    "SQS:SendMessage",
                    "SQS:ReceiveMessage",
                    "SQS:DeleteMessage",
                    "SQS:GetQueueUrl"
                ],
                "Resource": "arn:aws:sqs:ap-south-1:710161973367:CFI-Trace"
            }
            ]
        }
    }
 }
 }

I want role Cognito_CFIAuth_Role to have message send/read/delete previleges on SQS queue CFI-Trace. How do I attach SQS operation privileges to IAM Role ?