creating aws IAM Role using cloudformation does not create RolePolicies

1
votes

I'm creating an ec2 instance with a role that provides access to kinesis streams and Dynamodb offset Tables. I am using aws cloudformation for that.

Problem I'm having is while creating the Streaming Access IAM Role itself.

So, I will have following structure,

                        has
StreamingAccessRole ----------> RolePolicy1(kinesis:*), RolePolicy2(dynamodb:*)

The template to create the AWS IAM role with two policies, one for kinesis and the other for dynamodb : 

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Parameters": {
    "teamIdentifier": {
      "Type": "String",
      "Default": "a28",
      "Description": "Identifier for the team"
    }
  },
  "Resources": {
    "StreamingAccessRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "ec2.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/a28/",
        "Policies": [
          {
            "PolicyName": "Stream-ConsumerOffset-RW-AccessPolicy",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": "kinesis:*",
                  "Resource": "arn:aws:kinesis:us-west-2:*:stream/a28-*"
                },
                {
                  "Effect": "Allow",
                  "Action": "dynamodb:*",
                  "Resource": "arn:aws:dynamodb:us-west-2:*:table/a28-*"
                }
              ]
            }
          }
        ]
      }
    }
  }
}

It creates the Access Role but without role-policies.

$ aws iam get-role --role-name a28-streaming-access-role-st-StreamingAccessRole-14QHMTIOIRN5X --region us-west-2 --profile aws-federated
{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17", 
            "Statement": [
                {
                    "Action": "sts:AssumeRole", 
                    "Effect": "Allow", 
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    }
                }
            ]
        }, 
        "RoleId": "AROAIFD6X2CJXTKLVQNLE", 
        "CreateDate": "2017-04-07T18:54:59Z", 
        "RoleName": "a28-streaming-access-role-st-StreamingAccessRole-14QHMTIOIRN5X", 
        "Path": "/a28/", 
        "Arn": "arn:aws:iam::500238854089:role/a28/a28-streaming-access-role-st-StreamingAccessRole-14QHMTIOIRN5X"
    }
}

Listing the role-policies

$ aws iam list-role-policies --role-name a28-streaming-access-role-st-StreamingAccessRole-14QHMTIOIRN5X --region us-west-2 --profile aws-federated
{
    "PolicyNames": []
}

which means it did not even create any policies,

aws iam list-policies --region us-west-2 --profile aws-federated | grep Stream-ConsumerOffset-RW-AccessPolicy

But if I supplied only kinesis:* statement in above example, it creates a policy, but not with dynamodb:* alone.

no policies created So, my question is how am supposed to provide multiple RolePolicies using one cloudformation AWS::IAM::Role template, or is this specific to dynamodb?

3
amazon-web-servicesamazon-cloudformationamazon-iam

3 Answers

1
votes

There's an intermittent race condition when you create the Policy in the Role. Create the Policy separately with AWS::IAM::Policy and set the Roles property to the Role. The problem will go away.

0
votes

Your template worked perfectly fine for me.

I ran your template and then:

$ aws iam get-role --role-name stack1-StreamingAccessRole-1KDUTVG1OLLQM
{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17", 
            "Statement": [
                {
                    "Action": "sts:AssumeRole", 
                    "Effect": "Allow", 
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    }
                }
            ]
        }, 
        "RoleId": "AROAJADV75HTIM6C62YXQ", 
        "CreateDate": "2017-04-08T22:22:21Z", 
        "RoleName": "stack1-StreamingAccessRole-1KDUTVG1OLLQM", 
        "Path": "/a28/", 
        "Arn": "arn:aws:iam::123456789012:role/a28/stack1-StreamingAccessRole-1KDUTVG1OLLQM"
    }
}

Listing the role-policies:

$ aws iam list-role-policies --role-name stack1-StreamingAccessRole-1KDUTVG1OLLQM
{
    "PolicyNames": [
        "Stream-ConsumerOffset-RW-AccessPolicy"
    ]
}

The policy is attached as an inline policy, so it will not appear in list-policies. Rather, use get-role-policy to view it:

$ aws iam get-role-policy --role-name stack1-StreamingAccessRole-1KDUTVG1OLLQM --policy-name Stream-ConsumerOffset-RW-AccessPolicy
{
    "RoleName": "stack1-StreamingAccessRole-1KDUTVG1OLLQM", 
    "PolicyDocument": {
        "Version": "2012-10-17", 
        "Statement": [
            {
                "Action": "kinesis:*", 
                "Resource": "arn:aws:kinesis:us-west-2:*:stream/a28-*", 
                "Effect": "Allow"
            }, 
            {
                "Action": "dynamodb:*", 
                "Resource": "arn:aws:dynamodb:us-west-2:*:table/a28-*", 
                "Effect": "Allow"
            }
        ]
    }, 
    "PolicyName": "Stream-ConsumerOffset-RW-AccessPolicy"
}
0
votes

The reason could be race condition as already answered in this answer by Tim Bassett, I simply wanted to add final solution that worked, and how to add AWS::IAM::Policy to cloudformation.

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Some Streaming api devops",
  "Parameters": {
    "environment": {
      "Type": "String",
      "Default": "staging",
      "Description": "environment"
    }
  },
  "Resources": {
    "StreamingAccessRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "RoleName": "StreamingAccessRole",
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "ec2.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/a28/"
      }
    },
    "StreamConsumerOffsetRWAccessPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "cloudwatch:*"
              ],
              "Resource": [
                "*"
              ]
            },
            {
              "Effect": "Allow",
              "Action": "kinesis:*",
              "Resource": "arn:aws:kinesis:us-west-2:051620159240:stream/a28-*"
            },
            {
              "Effect": "Allow",
              "Action": [
                "dynamodb:BatchGetItem",
                "dynamodb:BatchWriteItem",
                "dynamodb:CreateTable",
                "dynamodb:DeleteItem",
                "dynamodb:DeleteTable",
                "dynamodb:DescribeLimits",
                "dynamodb:DescribeReservedCapacity",
                "dynamodb:DescribeReservedCapacityOfferings",
                "dynamodb:DescribeStream",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:GetRecords",
                "dynamodb:GetShardIterator",
                "dynamodb:ListStreams",
                "dynamodb:ListTables",
                "dynamodb:PutItem",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:UpdateItem",
                "dynamodb:UpdateTable"
              ],
              "Resource": "arn:aws:dynamodb:us-west-2:051620159240:table/a28-*"
            },
            {
              "Action": [
                "sns:*Permission",
                "sns:Create*",
                "sns:Delete*",
                "sns:Publish",
                "sns:ReceiveMessage",
                "sns:Set*"
              ],
              "Resource": [
                "arn:aws:sns:us-west-2:051620159240:a28-*"
              ],
              "Effect": "Allow"
            }
          ]
        },
        "PolicyName": "StreamConsumerOffsetRWAccessPolicy",
        "Roles": [
          {
            "Ref": "StreamingAccessRole"
          }
        ]
      }
    }
  }
}