Home > Software engineering >  CFn: Use !If to add multiple Principals to a statement
CFn: Use !If to add multiple Principals to a statement

Time:01-26

I have the following template defining a IAM policy which is not working:

      RoleName: 'ABCRole'
      AssumeRolePolicyDocument:
        Statement:
          - Action: ['sts:AssumeRole']
            Effect: Allow
            Principal:
              AWS:
              - 1234567890 # Some AWS account
              - !If
                - !And
                  - !Condition Condition1
                  - !Condition Condition2
                - arn:aws:iam::11111111111111:role/ABCDE_Role # first role
                - arn:aws:iam::22222222222222:role/ABCDE_Role # second role (different account number)
                - !Ref AWS:NoValue

I am trying to achieve that: when both Condition1 and Condition2 are true, I will be able to attach arn:aws:iam::11111111111111:role/ABCDE_Role and arn:aws:iam::22222222222222:role/ABCDE_Role as two additional principals. Otherwise, do nothing -- having 1234567890 as the only principal.

Please note that, arn:aws:iam::11111111111111:role/ABCDE_Role and arn:aws:iam::22222222222222:role/ABCDE_Role are only different from the aws account, so maybe I could use !Sub to replace the the account number? Somewhat like:

for account in [11111111111111, 22222222222222]:
 !Sub arn:aws:iam::${account}:role/ABCDE_Role 

How should I modify my template above? Thank you in advance!

CodePudding user response:

I think is because of the format that the !If condition expects, following the documentation from aws, the format is:

!If [condition_name, value_if_true, value_if_false]

And if you check your template, you have four elements, not three.

Also, the pseudo parameter is (with double :):

AWS::NoValue

So, a possible solution to add the two accounts that you need when the condition is True could be trying to add a new condition that combines condition1 and condition2 that you already have with the !And function, like this:

Conditions:
  Condition1: your condition
  Condition2: your condition
  ConditionCombined: !And [!Condition Condition1, !Condition Condition2]
Resources:
  Role1:
    Type: AWS::IAM::Role
    Properties: 
      RoleName: 'ABCRole'
      AssumeRolePolicyDocument:
        Statement:
          - Action: ['sts:AssumeRole']
            Effect: Allow
            Principal:
              AWS:
              - 1234567890 # Some AWS account
              - !If
                - ConditionCombined
                - arn:aws:iam::11111111111111:role/ABCDE_Role # first role
                - !Ref AWS::NoValue
              - !If
                - ConditionCombined
                - arn:aws:iam::22222222222222:role/ABCDE_Role # second role (different account number)
                - !Ref AWS::NoValue
  •  Tags:  
  • Related