Using AWS::Region in Policy Resources

0
votes

I am trying to dynamically change the s3 resource name based on current cloud formation stack region. Cloudformation stack updates without any error. Am I doing something wrong? I am expecting to have a policy with {AWS::Region} resolved to us-east-1.

        Version: 2012-10-17
        Statement:
          - Sid: RestrictS3Access
            Effect: Allow
            Action:
              - 's3:GetObject'
            Resource:
              - !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${cognito-identity.amazonaws.com:sub}"
              - !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${cognito-identity.amazonaws.com:sub}/*"

I am expecting to see the policy as follows. I am checking results from aws console.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "s3:GetObject"
        ],
        "Resource": [
            "arn:aws:s3:::dnsa-us-east-1/${cognito-identity.amazonaws.com:sub}",
            "arn:aws:s3:::dnsa-us-east-1/${cognito-identity.amazonaws.com:sub}/*"
        ],
        "Effect": "Allow",
        "Sid": "RestrictS3Access"
    }
1
amazon-web-servicesamazon-cloudformation
Please clarify your question. What is the behavior you are seeing, and how does that compare to your expectations?Jason Wadsworth
Thanks @JasonWadsworth. I updated the question with the expected result.DineshNS
@DineshNS could still do with a bit more info here. What is the outcome of you updating your stack with that YAML?Jonathan
I can see as follows. "Resource": [ "arn:aws:s3:::dnsa/${cognito-identity.amazonaws.com:sub}" Only one line in the policy as well. If i remove {AWS::Region} i can see both.DineshNS
@DineshNS I'd suggest updating your question with the full JSON policy that's been created. We can then help you determine why it's different to what you're expecting.Jonathan

1 Answers

0
votes

If you want ${cognito-identity.amazonaws.com:sub} to remain unchanged, you need to escape it with ${!}.

    Version: 2012-10-17
    Statement:
      - Sid: RestrictS3Access
        Effect: Allow
        Action:
          - 's3:GetObject'
        Resource:
          - !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${!cognito-identity.amazonaws.com:sub}"
          - !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${!cognito-identity.amazonaws.com:sub}/*"