Attach policy to a IAM Role
Solution 1
First, Line 9 contains a JSON syntax error, the brackets {}
around your Role string should be removed:
"Roles": [ "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role" ],
Second, AWS::IAM::Policy
's Roles
property accepts "The names of AWS::IAM::Role
s to attach to this policy", not full ARNs, so your line should be:
"Roles": [ "Cognito_CFIAuth_Role" ],
You also need a missing closing bracket }
at the end of your example.
Solution 2
With the AWS::IAM::Policy
resource, you're creating an inline policy. http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html explains that this takes a list of "The names of AWS::IAM::Roles
, which I take to be the logical name of role resources defined within the same stack.
If you want to attach the policy to a preexisting role, you should use the ManagedPolicy type instead. http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-roles takes the name of the preexisting role(s).
Aman Khanna
Updated on June 04, 2022Comments
-
Aman Khanna almost 2 years
Following cloudformation template gives error on line 9 :
{ "AWSTemplateFormatVersion" : "2010-09-09", "Description" : "Policy to allow send receive message from SQS Queue", "Resources" : { "MyPolicy" : { "Type" : "AWS::IAM::Policy", "Properties" : { "PolicyName" : "CFUsers", "Roles": [ { "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role" } ], "PolicyDocument" : { "Version" : "2012-10-17", "Statement": [ { "Sid": "Sid1482400105445", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role" }, "Action": [ "SQS:SendMessage", "SQS:ReceiveMessage", "SQS:DeleteMessage", "SQS:GetQueueUrl" ], "Resource": "arn:aws:sqs:ap-south-1:710161973367:CFI-Trace" } ] } } } }
I want role Cognito_CFIAuth_Role to have message send/read/delete previleges on SQS queue CFI-Trace. How do I attach SQS operation privileges to IAM Role ?
-
erik258 over 7 yearsAdditionally, it has to be valid JSON. See @michael's comment to your question.