AWS Cloudformation IAM Policy with Resource

Question

What I'm trying to do is create an IAM policy that only gives access to a certain S3 bucket and I want to pass that S3 bucket as a parameter.

From AWS's documentation, this is what an IAM policy CloudFormation template looks like:

"RolePolicies": {
     "Type": "AWS::IAM::Policy",
     "Properties": {
        "PolicyName": "root",
        "PolicyDocument": {
           "Version" : "2012-10-17",
           "Statement": [ {
              "Effect": "Allow",
              "Action": "*",
              "Resource": "*"
           } ]
        },

The question is, how do you make "Resource" a parameter? The parameter should be the arn of the S3 bucket (ex. arn:aws:s3:::s3-bucket-name). Would I simply put in a string type parameter and type out the whole arn or would it be something like AWS::S3::Bucket type? Either way, I'm not sure what to type in after "Resource".

Thanks!

Answer 1

You can use Ref with Fn::Join or Fn::Sub

For example:

"Parameters" : {
    "BucketName" : {
        "Type" : "String",
        "Description" : "S3 Bucket name."
    }
}

With Ref and Fn::Join

    ...
        "Resource": { "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "BucketName"} ] ] }
    ...

With Fn::Sub :

    ...
        "Resource": { "Fn::Sub": [ "arn:aws:s3:::${BucketName}" ] }
    ...

More info about template parameters here

Answer 2

A little late to the party.

If your bucket is declared in Resources, like this:

...
Resources:
  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-bucket-name
...

...Then you can easily refer to it's ARN using Fn::GetAtt:

Resource:
  Fn::GetAtt: [ MyBucket, "Arn" ]