Error attempting to assign a consumer because the Principal in AWS AssumeRolePolicyDocument
Initially I used to be attempting to make use of an ImportValue assertion and a Pseudo Parameter with a Sub perform in an CloudFormation template. I obtained this error and presumed it was an issue with syntax combining these issues, which will be tough. However I ought to have carried out some troubleshooting in a better means from the beginning.
A extra methodical method to troubleshooting this error:
- Begin with a duplicate of a working pattern.
- Change the issues you should change with onerous coded values piece by piece.
- Change the onerous code worth piece by piece with an import, sub, and/or pseudo parameter after you’re positive the remainder is working.
Right here’s the template instance I used to be :
There’s an instance with an AssumeRolePolicyDocument on the finish:
Should you learn the highest of this doc you see that one of many principals you should use is a Consumer:
So clearly, you’ll exchange “Service” within the above pattern coverage code with “Consumer” proper?
WRONG:
AssumeRolePolicyDocument:
Model: "2012-10-17"
Assertion:
-
Impact: "Permit"
Principal:
Consumer:
- "[construct user ARN here]"
Motion:
- "sts:AssumeRole"
Because it seems, Consumer must be AWS like this:
AssumeRolePolicyDocument:
Model: "2012-10-17"
Assertion:
-
Impact: "Permit"
Principal:
AWS:
- "[construct user ARN here]"
Motion:
- "sts:AssumeRole"
This small element escaped me far too lengthy.
As well as, make sure that your consumer listing is an array, not a single string. In YAML you point out an array with a touch.
Be sure to put the sprint AFTER AWS not earlier than it.
WRONG:
AssumeRolePolicyDocument:
Model: "2012-10-17"
Assertion:
-
Impact: "Permit"
Principal:
- AWS:
"[incorrect position of dash]"
Motion:
- "sts:AssumeRole"
Sub, ImportValue, and Pseudo Parameters (in YAML)
The documentation for Sub and ImportValues is just a little scattered and also you’ll discover variations in JSON extra continuously than YAML. Listed here are the important thing factors.
Right:
!Sub
Incorrect:
!Sub:
Incorrect:
Sub:
If you’re utilizing a sub with an ImportValue, the primary line is your full and remaining string with placeholders beginning with $ in curly braces like this:
!Sub
- 'string with the ${PlaceHolder}'
The second line is the identify of the worth to interchange adopted by colon, after which worth to interchange it with.
!Sub
- 'string with the ${PlaceHolder}'
- PlaceHolder: Worth
Should you’re utilizing ImportValue with the Output from one other template then the second line can be:
!Sub
- 'string with the ${PlaceHolder}'
- PlaceHolder: !ImportValue outputname
What when you’ve got two values that you just wish to exchange:
!Sub
- 'string with ${PlaceHolder1} and ${PlaceHolder2}'
With all these dashes floating round it’s straightforward to make the belief you’ll write it like this however…
WRONG:
!Sub
- 'string with ${PlaceHolder1} and ${PlaceHolder2}'
- PlaceHolder1: !ImportValue outputname1
- PlaceHolder2: !ImportValue outputname2
You solely put the sprint in entrance of the primary of the listing of substitute values:
!Sub
- 'string with ${PlaceHolder1} and ${PlaceHolder2}'
- PlaceHolder1: !ImportValue outputname1
PlaceHolder2: !ImportValue outputname2
What if you wish to use a pseudo parameter like AWS::AccountId? You would possibly assume that it is best to write one thing like this:
WRONG
!Sub
- 'string with ${PlaceHolder1} and ${PlaceHolder2}'
- PlaceHolder1: !ImportValue outputname1
PlaceHolder2: ${AWS::AccountId}
The proper model places the pseudo parameter within the first line like this:
CORRECT:
!Sub
- 'string with ${AWS::AccountId} and ${PlaceHolder1}'
- PlaceHolder1: !ImportValue outputname1
This all appears a bit overly convoluted and inconsistent, however that’s how it’s.
And naturally, the error messages usually are not that useful.
Teri Radichel
Should you preferred this story please clap and observe:
Medium: Teri Radichel or E mail Listing: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests providers by way of LinkedIn: Teri Radichel or IANS Analysis
© 2nd Sight Lab 2022
____________________________________________
Writer:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration take a look at or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Assets by Teri Radichel: Cybersecurity and Cloud safety lessons, articles, white papers, displays, and podcasts