(Service: AmazonIdentityManagement; Standing Code: 400; Error Code: MalformedPolicyDocument; Request ID: 2daba66d-6e5f-4db8–9368-ea99e4df7e83; Proxy: null) | by Teri Radichel | Bugs That Chew | Jul, 2022

Error attempting to assign a consumer because the Principal in AWS AssumeRolePolicyDocument

Initially I used to be attempting to make use of an ImportValue assertion and a Pseudo Parameter with a Sub perform in an CloudFormation template. I obtained this error and presumed it was an issue with syntax combining these issues, which will be tough. However I ought to have carried out some troubleshooting in a better means from the beginning.

A extra methodical method to troubleshooting this error:

1. Begin with a duplicate of a working pattern.
2. Change the issues you should change with onerous coded values piece by piece.
3. Change the onerous code worth piece by piece with an import, sub, and/or pseudo parameter after you’re positive the remainder is working.

Right here’s the template instance I used to be :

There’s an instance with an AssumeRolePolicyDocument on the finish:

Should you learn the highest of this doc you see that one of many principals you should use is a Consumer:

So clearly, you’ll exchange “Service” within the above pattern coverage code with “Consumer” proper?

WRONG:

AssumeRolePolicyDocument:          
Model: "2012-10-17"         
Assertion:            
-             
Impact: "Permit"             
Principal:                
Consumer:                  
- "[construct user ARN here]"             
Motion:                
- "sts:AssumeRole"

Because it seems, Consumer must be AWS like this:

AssumeRolePolicyDocument:          
Model: "2012-10-17"         
Assertion:            
-             
Impact: "Permit"             
Principal:                
AWS:                  
- "[construct user ARN here]"             
Motion:                
- "sts:AssumeRole"

This small element escaped me far too lengthy.

As well as, make sure that your consumer listing is an array, not a single string. In YAML you point out an array with a touch.

Be sure to put the sprint AFTER AWS not earlier than it.

WRONG:

AssumeRolePolicyDocument:          
Model: "2012-10-17"         
Assertion:            
-             
Impact: "Permit"             
Principal:                
- AWS:                  
"[incorrect position of dash]"             
Motion:                
- "sts:AssumeRole"

Sub, ImportValue, and Pseudo Parameters (in YAML)

The documentation for Sub and ImportValues is just a little scattered and also you’ll discover variations in JSON extra continuously than YAML. Listed here are the important thing factors.

Right:

!Sub

Incorrect:

!Sub:

Incorrect:

Sub:

If you’re utilizing a sub with an ImportValue, the primary line is your full and remaining string with placeholders beginning with $ in curly braces like this:

!Sub
 - 'string with the ${PlaceHolder}'

The second line is the identify of the worth to interchange adopted by colon, after which worth to interchange it with.

!Sub
 - 'string with the ${PlaceHolder}'
 - PlaceHolder: Worth

Should you’re utilizing ImportValue with the Output from one other template then the second line can be:

!Sub
 - 'string with the ${PlaceHolder}'
 - PlaceHolder: !ImportValue outputname

What when you’ve got two values that you just wish to exchange:

!Sub
 - 'string with ${PlaceHolder1} and ${PlaceHolder2}'

With all these dashes floating round it’s straightforward to make the belief you’ll write it like this however…

WRONG:

!Sub
 - 'string with ${PlaceHolder1} and ${PlaceHolder2}'
- PlaceHolder1: !ImportValue outputname1
- PlaceHolder2: !ImportValue outputname2

You solely put the sprint in entrance of the primary of the listing of substitute values:

!Sub
 - 'string with ${PlaceHolder1} and ${PlaceHolder2}'
- PlaceHolder1: !ImportValue outputname1
PlaceHolder2: !ImportValue outputname2

What if you wish to use a pseudo parameter like AWS::AccountId? You would possibly assume that it is best to write one thing like this:

WRONG

!Sub
 - 'string with ${PlaceHolder1} and ${PlaceHolder2}'
- PlaceHolder1: !ImportValue outputname1
PlaceHolder2: ${AWS::AccountId}

The proper model places the pseudo parameter within the first line like this:

CORRECT:

!Sub
 - 'string with ${AWS::AccountId} and ${PlaceHolder1}'
- PlaceHolder1: !ImportValue outputname1

This all appears a bit overly convoluted and inconsistent, however that’s how it’s.

And naturally, the error messages usually are not that useful.

Teri Radichel

Should you preferred this story please clap and observe:

Medium: Teri Radichel or E mail Listing: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests providers by way of LinkedIn: Teri Radichel or IANS Analysis

© 2nd Sight Lab 2022

____________________________________________

Writer:

Cybersecurity for Executives within the Age of Cloud on Amazon

Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching

Is your cloud safe? Rent 2nd Sight Lab for a penetration take a look at or safety evaluation.

Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.

Cybersecurity & Cloud Safety Assets by Teri Radichel: Cybersecurity and Cloud safety lessons, articles, white papers, displays, and podcasts