AWS CloudFormation create RDS cluster and add its ARN to a policy in the same template

Question

I'm creating an RDS cluster and, in the same template, a policy with some permissions to allow particular actions over that cluster.

Statement:
  - Effect: Allow
    Actions:
      - 'rds-data:BatchExecuteStatement'
      - 'rds-data:ExecuteStatement'
    Resource: 'arn:aws:rds:us-east-1:1111111111:cluster:production-mycluster-rdscluster-no1yzvzs29sq'

The problem is that AWS::RDS::DBCluster does not support Fn::GetAtt ARN, and, since RDS add that random string at the end of the ARN, in this example no1yzvzs29sq I don't know how can I use something like a wildcard to "whitelist" part of the name.

I would like something like arn:aws:rds:us-east-1:1111111111:cluster:production-mycluster-rdscluster-*

But it doesn't work. I will appreciate help!

What is the error message you're getting? – maafk Jun 16 '20 at 21:43 — maafk, Jun 16 '20 at 21:43

score 1 · Accepted Answer · answered Jun 16 '20 at 21:55

You can construct the ARN based on the Cluster name yourself.

For example:

Statement:
  - Effect: Allow
    Actions:
      - 'rds-data:BatchExecuteStatement'
      - 'rds-data:ExecuteStatement'
    Resource: !Sub 'arn:${AWS::Partition}:rds:${AWS::Region}:${AWS::AccountId}:cluster:${MyDBCluster}'

score 0 · Answer 2 · answered Jun 16 '20 at 21:48

Based on the docs:

Amazon RDS Data API does not support specifying a resource ARN in the Resource element of an IAM policy statement. To allow access to Amazon RDS Data API, specify “Resource”: “*” in your policy.

So at this point it looks like you're stuck with a policy that looks like

Statement:
  - Effect: Allow
    Actions:
      - 'rds-data:BatchExecuteStatement'
      - 'rds-data:ExecuteStatement'
    Resource: '*'

AWS CloudFormation create RDS cluster and add its ARN to a policy in the same template

2 Answers2