By using AWS re:Post, you agree to the Terms of Use

How to define IAM::Policy in SAM template

0

I am trying to configure a sam template, I can define a role and deploy, then manually go in the console and add policies which allow me to add a restapi and functions to the sam template and deploy, but I can't get the policy setting in the template so that it is all automated in one deploy.

If I add a policy to the template, deploy always gives a syntax error

Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: a3bb2efb-3920-4298-99af-a15e67f70683; Proxy: null)  

I am creating lambda functions that access RDS, so I manually add AWSLambdaVPCAccessExecutionRole to get the function creation to work.

I have tried

- AWSLambdaVPCAccessExecutionRole  
- 'AWSLambdaVPCAccessExecutionRole'  
- arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole  

as well as individual policies

- ec2:CreateNetworkInterface  
- ec2:DeleteNetworkInterface  
- ec2:DescribeNetworkInterface  
- ec2:DetachNetworkInterface  
- logs:CreateLogGroup  
- logs:CreateLogStream  
- logs:PutLogEvents  

So far the policy section I have is

  STDataAccessPolicies:  
    Type: AWS::IAM::Policy  
    Properties:  
      PolicyName: STDataAccess  
      PolicyDocument:  
        Version: 2021-10-17  
        Statement:  
        - Effect: Allow  
          Action:  
          # what goes here  
          Resource: '*'  
      Roles:  
        - !Ref STDataAccessRole  
asked a year ago391 views
1 Answer
0

While I still haven't found a way to create policies in the template, I did manage to find a way to deploy in one pass.

You can add policy rules to the role definition

role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
...
ManagedPolicyArns:

  • arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
  • arn:aws:iam::aws:policy/service-role/AWSLambdaRole
  • arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

I found this in an example setting up lambda access to rds-mysql

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions