Create IAM role from template in SAM

Question

I am trying to add an IAM role to an already existing template that allows certain access to a bucket from an external source (snowflake)

RoleNameForAccess:
    Type: AWS::IAM::Role
    Properties: 
      RoleName: RoleNameForAccess
      Description: A role that allows snowflake to access the bucket
      Policies: 
        - PolicyName: 'SnowflakePolicyRole'
        - PolicyDocument:
          - Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Action: 
                - s3:PutObject
                - s3:GetObject
                - s3:GetObjectVersion
                - s3:DeleteObject
                - s3:DeleteObjectVersion
              Resource: arn:aws:s3:::bucket-name/*
            - Effect: Allow
              Action: s3:ListBucket
              Resource: arn:aws:s3:::bucket-name
              Condition:
                StringLike:
                  s3:prefix:
                  - "*"

but it keeps throwing errors:

Property PolicyDocument cannot be empty.

If I take the dash in Policy document, I get this error:

Value of property PolicyDocument must be an object

Maybe I am missing some syntax but can't find what it is.

Thanks

Jason Wadsworth · Answer 1 · 2021-06-21T15:00:16.063

0

You have a very small error. You can have more than one policy, so Policies is an array.

RoleNameForAccess:
    Type: AWS::IAM::Role
    Properties: 
      RoleName: RoleNameForAccess
      Description: A role that allows snowflake to access the bucket
      Policies: 
        - PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: 
                  - s3:PutObject
                  - s3:GetObject
                  - s3:GetObjectVersion
                  - s3:DeleteObject
                  - s3:DeleteObjectVersion
                Resource: arn:aws:s3:::bucket-name/*
              - Effect: Allow
                Action: s3:ListBucket
                Resource: arn:aws:s3:::bucket-name
                Condition:
                  StringLike:
                    s3:prefix:
                    - "*"

edited Jun 21 '21 at 15:00

answered Jun 21 '21 at 13:51

Jason Wadsworth

8,059
19
32

Now is asking me for policy name, where should I add it? – Mario Garcia Jun 21 '21 at 14:06
My bad. I didn't notice the array inside of PolicyDocument. I fixed my answer to remove that. – Jason Wadsworth Jun 21 '21 at 15:00
I keep getting a missing PolicyName error – Mario Garcia Jun 21 '21 at 15:08

dossani · Accepted Answer · 2021-06-22T00:43:09.373

PolicyName and AssumeRolePolicyDocument were missing. Updated as per the user guide here. You may change Principal in the AssumeRolePolicyDocument section in the below updates as per your requirements.

  RoleNameForAccess:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - arn:aws:iam::111111111111:user/testuser
            Action:
              - 'sts:AssumeRole'
      RoleName: RoleNameForAccess
      Description: A role that allows snowflake to access the bucket
      Policies: 
        - PolicyName: SnowflakePolicyRole
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: 
                  - s3:PutObject
                  - s3:GetObject
                  - s3:GetObjectVersion
                  - s3:DeleteObject
                  - s3:DeleteObjectVersion
                Resource: arn:aws:s3:::bucket-name/*
              - Effect: Allow
                Action: s3:ListBucket
                Resource: arn:aws:s3:::bucket-name
                Condition:
                  StringLike:
                    s3:prefix:
                    - "*"

oh, so the policy document is a property of policies, not of the actual resource. Ok, I appreaciate it. — Mario Garcia, Jun 22 '21 at 20:15

Create IAM role from template in SAM

2 Answers2