1 Answer
- Newest
- Most votes
- Most comments
1
Hello.
The problem is with the IAM policy that is tied to the IAM role.
Please modify the CFn template as below.
Originally, the part that referred to ARN was "arn:aws:s3:::${BucketArn}/*", but it was changed to "${BucketArn}/*".
resIamRoleKendra:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${paramEnvironment}_${paramServiceName}_kendraRole"
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ kendra.amazonaws.com ]
Action: sts:AssumeRole
Policies:
- PolicyName: KendraPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:DescribeLogStreams
Resource:
- !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${paramEnvironment}_${paramServiceName}_*:log-stream:*"
- Effect: Allow
Action:
- s3:GetObject
- s3:ListBucket
Resource:
- !ImportValue export-myService-data-source-bucket-arn
- !Sub
- "${BucketArn}/*" # Edit
- BucketArn: !ImportValue export-myService-data-source-bucket-arn
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 11 days ago
- AWS OFFICIALUpdated 16 days ago
That is a great catch! I had recently refactored these Kendra resources out of a larger template file and missed this mistake. I have since corrected the wrong ARN substitution and tried re-creating the stack.
Unfortunately, it didn't fix the original issue. I still get the same 'FAQ did not stabilize' error message.
Be sure to use "DependsOn" to control the creation order of resources as shown below. Also, please set the file format to "JSON". https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kendra-faq.html#cfn-kendra-faq-fileformat
Thank you! The 'DependsOn' statements ended up being the key to this puzzle.