Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cloudformation | Managed Policy

0

Hello Team,

I am trying to create a manage policy with CloudFormation. The policy is getting created but the entire permission is not being reflected in the policy being created.

For ex:

CreateTestDBPolicy:
  Type: 'AWS::IAM::ManagedPolicy'
  Properties:
    Description: Policy for creating a test database
    Path: /
    PolicyDocument:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Action: 'rds:CreateDBInstance'
          Resource: !Join 
            - ''
            - - 'arn:aws:rds:'
              - !Ref 'AWS::Region'
              - ':'
              - !Ref 'AWS::AccountId'
              - ':db:test*'
          Condition:
            StringEquals:
              'rds:DatabaseEngine': mysql
        - Effect: Allow
          Action: 'rds:CreateDBInstance'
          Resource: !Join 
            - ''
            - - 'arn:aws:rds:'
              - !Ref 'AWS::Region'
              - ':'
              - !Ref 'AWS::AccountId'
              - ':db:test*'
          Condition:
            StringEquals:
              'rds:DatabaseClass': db.t2.micro
    Groups:
      - TestDBGroup

For above template, only half of JSON permission can be seen in the policy being created.

Topics
Management & Governance
Tags
AWS CloudFormation
Language
English
asked 2 years ago281 views
1 Answer
3
Accepted Answer

Hello,

please look at the solution it will be helpful for you

To create a **managed policy **with the required permissions using AWS CloudFormation.

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CreateTestDBPolicy:
    Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      Description: Policy for creating a test database
      Path: /
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action: 'rds:CreateDBInstance'
            Resource: !Sub 'arn:aws:rds:${AWS::Region}:${AWS::AccountId}:db:test*'
            Condition:
              StringEquals:
                rds:DatabaseEngine: 'mysql'
          - Effect: Allow
            Action: 'rds:CreateDBInstance'
            Resource: !Sub 'arn:aws:rds:${AWS::Region}:${AWS::AccountId}:db:test*'
            Condition:
              StringEquals:
                rds:DatabaseClass: 'db.t2.micro'

Steps to Deploy the Template

1)Validate the Template

Before deploying the template, you should validate it to ensure there are no syntax errors. Run the following command in your terminal:

aws cloudformation validate-template --template-body file://create-test-db-policy.yaml

2)Deploy the Stack

Use the command to deploy the CloudFormation stack:

aws cloudformation deploy --template-file create-test-db-policy.yaml --stack-name my-test-db-policy-stack --capabilities CAPABILITY_NAMED_IAM
EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
EXPERT
reviewed 2 years ago
EXPERT
reviewed 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content