Change principal to avoid errors if example is modified by user#1013
Change principal to avoid errors if example is modified by user#1013shadycuz wants to merge 1 commit intoawsdocs:mainfrom
Conversation
|
Thank you for your patience and for telling us about this issue. A member of the team will be working on it and will provide updates here about progress. |
|
This is service writer owned content. Leaving open. |
|
The IAM documentation states,
In the S3 docs, similar policy examples use |
|
Maybe something changed, I haven't retested it but this was a huge issue when I reported it. If you take the current example: SampleBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref DOC-EXAMPLE-BUCKET
PolicyDocument:
Statement:
- Action:
- 's3:GetObject'
Effect: Allow
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref DOC-EXAMPLE-BUCKET
- /*
Principal: '*'
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'and you change the principal to an ARN... SampleBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref DOC-EXAMPLE-BUCKET
PolicyDocument:
Statement:
- Action:
- 's3:GetObject'
Effect: Allow
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref DOC-EXAMPLE-BUCKET
- /*
Principal: 'arn:aws:iam::account:role/my-ec2-instance-profile'
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'This code would pass Cloudformation "verify" but would fail to actually deploy a stack. This is an extremely hard to debug error. I understand that other service documentation uses the "shorter" form and says they are equivalent, but when I opened this issue they were not equivalent with Cloudformation. |
4 participants
Issue #, if available:
Description of changes:
Added AWS key to principal policy. If a user copy+paste this policy and then change the principal to a specific role the template will show up as valid but will fail to deploy because of a "Invalid policy syntax" error that is very hard to track down. Thats because when using the "Principal" key directly only a wildcard is valid.
See
Anonymous user principals (public access)section in AWS JSON policy elements: Principal documentation.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.