Cloudformation - Specifying S3 ACL Principal

Question

Hi,

I am trying to specify a principal inside of an S3 ACL policy by using Fn:GetAtt but keep on getting "invalid bucket policy syntax". Below is the excerpt, what am I doing wrong?

"ingestions3bucketbucketpolicy": {
          "Type": "AWS::S3::BucketPolicy",
          "Properties": {
            "Bucket": {
              "Ref": "ingestions3bucket"
            },
            "PolicyDocument": {
              "Statement": [
                {
                  "Action": [
                    "s3:PutObject"
                  ],
                  "Effect": "Allow",
                  "Resource": {
                    "Fn::Join": [
                      "",
                      [
                        "arn:aws:s3:::",
                        {
                          "Ref": "ingestions3bucket"
                        },
                        "/*"
                      ]
                    ]
                  },
                  "Principal": {
                    "Fn::Join": [
                      "",
                      [
                        "\"AWS\": ",
                        {
                          "Fn::GetAtt": [
                            "IngestionServiceRole",
                            "Arn"
                          ]
                        }
                      ]
                    ]
                  }
                }
              ]
            }
          },
          "DependsOn": "IngestionServiceRole"
        }

Accepted Answer

Principle is a object, with a single property - in this case "AWS". Your code above is specifying a string beginning with "AWS:".

"Principal":  {
        "AWS" : { "Fn::GetAtt": [ "IngestionServiceRole",  "Arn" ] }
    }

For more info, see http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Principal

Cloudformation - Specifying S3 ACL Principal

Relevanter Inhalt