How to define IAM::Policy in SAM template

I am trying to configure a sam template, I can define a role and deploy, then manually go in the console and add policies which allow me to add a restapi and functions to the sam template and deploy, but I can't get the policy setting in the template so that it is all automated in one deploy.

If I add a policy to the template, deploy always gives a syntax error

Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: a3bb2efb-3920-4298-99af-a15e67f70683; Proxy: null)  

I am creating lambda functions that access RDS, so I manually add AWSLambdaVPCAccessExecutionRole to get the function creation to work.

I have tried

- AWSLambdaVPCAccessExecutionRole  
- 'AWSLambdaVPCAccessExecutionRole'  
- arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole  

as well as individual policies

- ec2:CreateNetworkInterface  
- ec2:DeleteNetworkInterface  
- ec2:DescribeNetworkInterface  
- ec2:DetachNetworkInterface  
- logs:CreateLogGroup  
- logs:CreateLogStream  
- logs:PutLogEvents  

So far the policy section I have is

  STDataAccessPolicies:  
    Type: AWS::IAM::Policy  
    Properties:  
      PolicyName: STDataAccess  
      PolicyDocument:  
        Version: 2021-10-17  
        Statement:  
        - Effect: Allow  
          Action:  
          # what goes here  
          Resource: '*'  
      Roles:  
        - !Ref STDataAccessRole