0

I am currently writing a Cloud formation Template(CFT) for KMS (Key Management Services) where I want to give Key Administrative permissions and key usage permissions to users other than root. I want this to be called dynamically through the CFT. As of now, I am able to give root those permissions. Following is the policy: 

  {
                        "Sid": "Allow attachment of persistent resources",
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": [
                                "arn:aws:iam::111122223333:user/KMSUser"
                                {
                                    "Fn::Join": [
                                        ":",
                                        [
                                            "arn:aws:iam:",
                                            {
                                                "Ref": "AWS::AccountId"
                                            },
                                            "root"
                                        ]
                                    ]
                                }
                            ]
                        },
                        "Action": [
                            "kms:CreateGrant",
                            "kms:ListGrants",
                            "kms:RevokeGrant"
                        ],
                        "Resource": "*",
                        "Condition": {
                            "Bool": {
                                "kms:GrantIsForAWSResource": true
                            }
                        }
                    }

How can I Get the arn and the username dynamically?

1 Answers1

2

You can make use of Parameters.

Define a parameter for username 

"Username": {
  "Description": "Username details",
  "Type": "String"
}

In the role name definition, point to the parameter instead of hardcoding it to root. 

"Fn::Join": [
    ":",
    [
        "arn:aws:iam:",
        {
            "Ref": "AWS::AccountId"
        },
        {
            "Ref": "Username"
        }
    ]
]
krisnik
  • 1,406
  • 11
  • 18
  • Thankyou for the answer. My question is, if we put it in the parameter section, will it always ask the user to enter the ARN/username? Any mechanism to get it directly from the account details? –  Feb 14 '18 at 08:30
  • No, you have to specify it via parameters. If the user is created using another CF template, you can export its output and consume it in this template. You can use Fn::ImportValue for that. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html – krisnik Feb 14 '18 at 10:15