I have the following template defining a IAM policy which is not working:
RoleName: 'ABCRole'
AssumeRolePolicyDocument:
Statement:
- Action: ['sts:AssumeRole']
Effect: Allow
Principal:
AWS:
- 1234567890 # Some AWS account
- !If
- !And
- !Condition Condition1
- !Condition Condition2
- arn:aws:iam::11111111111111:role/ABCDE_Role # first role
- arn:aws:iam::22222222222222:role/ABCDE_Role # second role (different account number)
- !Ref AWS:NoValue
I am trying to achieve that: when both Condition1 and Condition2 are true, I will be able to attach arn:aws:iam::11111111111111:role/ABCDE_Role and arn:aws:iam::22222222222222:role/ABCDE_Role as two additional principals. Otherwise, do nothing -- having 1234567890 as the only principal.
Please note that, arn:aws:iam::11111111111111:role/ABCDE_Role and arn:aws:iam::22222222222222:role/ABCDE_Role are only different from the aws account, so maybe I could use !Sub to replace the the account number? Somewhat like:
for account in [11111111111111, 22222222222222]:
!Sub arn:aws:iam::${account}:role/ABCDE_Role
How should I modify my template above? Thank you in advance!
CodePudding user response:
I think is because of the format that the !If condition expects, following the documentation from aws, the format is:
!If [condition_name, value_if_true, value_if_false]
And if you check your template, you have four elements, not three.
Also, the pseudo parameter is (with double :):
AWS::NoValue
So, a possible solution to add the two accounts that you need when the condition is True could be trying to add a new condition that combines condition1 and condition2 that you already have with the !And function, like this:
Conditions:
Condition1: your condition
Condition2: your condition
ConditionCombined: !And [!Condition Condition1, !Condition Condition2]
Resources:
Role1:
Type: AWS::IAM::Role
Properties:
RoleName: 'ABCRole'
AssumeRolePolicyDocument:
Statement:
- Action: ['sts:AssumeRole']
Effect: Allow
Principal:
AWS:
- 1234567890 # Some AWS account
- !If
- ConditionCombined
- arn:aws:iam::11111111111111:role/ABCDE_Role # first role
- !Ref AWS::NoValue
- !If
- ConditionCombined
- arn:aws:iam::22222222222222:role/ABCDE_Role # second role (different account number)
- !Ref AWS::NoValue
