I have an S3 bucket on which I am trying to apply the bucket policy via CloudFormation. I want to allow two IAM roles to access the bucket and is achieved by specifying the ARN of the roles in the bucket policy in the CloudFormation template. Below is the CloudFormation template:
LandingBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref LandingBucket
PolicyDocument:
Version: "2012-10-17"
Statement:
# yamllint disable-line rule:line-length
- Sid: "Allow s3 permission"
Action:
- s3:PutObject
- s3:GetObject
- s3:ListBucket
Effect: "Allow"
Resource:
- !GetAtt LandingBucket.Arn
- !Sub "${LandingBucket.Arn}/*"
Principal:
AWS:
- !Ref IamRoleArn1
- !Ref IamRoleArn2
Parameters are: IamRoleArn1: arn:aws:iam::1234:role/xyz, IamRoleArn2: arn:aws:iam::1234:role/abc
The final policy from the console looks like below
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "file drop permission",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::1234:role/xyz",
"AROxxIECxx"
]
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
}
]
}
The first Principal is an IAM role, however, the second one looks like an API key even though in the CloudFormation template I have mentioned the second IAM role ARN just like the first IAM role.
Why is the second role ARN not showing up in the bucket policy?
IamRoleArn1-- shouldn't one of them beIamRoleArn2? – John RotensteinAROxxIECxx(unique id) usually shows up if you refer to a resource that is deleted after it was referenced. It looks likeIamRoleArn2is referring to a role that is/was deleted. – Asdfg