I'm creating a CloudFormation stack that has a CodeBuild and an IAM role as a resource. I'd like to know if is there a condition that allows only resources created in the same stack to assume the role.
Currently, my stack is defined this way:
CodeBuildProjectIAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: codebuild.amazonaws.com
Action: sts:AssumeRole
CodeBuildProject:
Type: AWS::CodeBuild::Project
The problem is that any CodeBuild project can assume the role above.
When I try to add a condition specifying that only principals with aws:cloudformation:stack-name equal stack name can assume the role:
CodeBuildProjectIAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: codebuild.amazonaws.com
Action: sts:AssumeRole
Condition:
StringEquals:
aws:PrincipalTag/aws:cloudformation:stack-name: !Ref 'AWS::StackName'
, I get this error:
Condition can contain only one colon. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument)
', something like:'aws:PrincipalTag/aws:cloudformation:stack-name:'. - lexicore'aws:PrincipalTag/aws:cloudformation:stack-name:'(gotTemplate format error: YAML not well-formed) and'aws:PrincipalTag/aws:cloudformation:stack-name':(gotCondition can contain only one colon) - Pedro Arantes