1

I have an AWS SAM very simple project that has a permission boundary defined in this way;

Globals:
  Function:
    PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${AppId}-${AWS::Region}-PermissionsBoundary'

During deployment, I get the error:

Scope ARN: arn:aws:iam::360366933610:policy/gaaa-pablo-us-east-1-PermissionsBoundary does not exist or is not attachable. (Service: AmazonIdentityManagement; Status Code: 404; Error Code: NoSuchEntity; Request ID: 7217e1ad-0716-403c-a839-160db3a83310; Proxy: null)

How should this permission boundary be created? Is this supposed to be a manual tasks?

This seems to be one of the differences between running sam init on my machine and creating the exactly same template through the AWS console. AWS creates seems to create this boundary, attach it to the application maybe, but not emit any code that would create it? I'm still trying to understand all the moving pieces here.

Pablo Fernandez
  • 279,434
  • 135
  • 377
  • 622
  • Are you confident that `gaaa-pablo-us-east-1-PermissionsBoundary` exists and it works? For example, can you use AWS console to attach it to a role? – Marcin Dec 11 '21 at 02:24
  • No, it doesn't exist. My question is how it should be created. – Pablo Fernandez Dec 11 '21 at 08:26
  • This is use-case specific. For generic guidelines on creating boundary policies please check [aws docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html). – Marcin Dec 11 '21 at 08:32
  • I went through that doc. I don't think it answers the questions of how this permission boundary is supposed to be created. Is it a manual activity? can it be automated? – Pablo Fernandez Dec 11 '21 at 09:14

0 Answers0