How to use AWS CloudFormation pseudoparameter inside IAM Policy Document

Question

I am using AWS CloudFormation (YAML-based) to deploy an IAM role. This role should both be allowed to deploy other CloudFormation resources and to have the root of the AWS account it gets deployed into as a trusted entity. I am trying to supply the account-id using the built-in pseudo-parameter AWS::AccountId : https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.html#cfn-pseudo-param-accountid .

Here is what I have tried, following the official doc: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html (just showing the resources section of my CFN template):

Resources:
  IAMRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: ["sts:AssumeRole"]
            Effect: Allow
            Principal:
              Service: [cloudformation.amazonaws.com]
              AWS: arn:aws:iam::AWS::AccountId:root  # <-- ERROR HERE !

Which causes a MalformedPolicyDocument error due to an Invalid principal in the CloudFormation stack (in the AWS Management Console, under Events ):

Invalid principal in policy: "AWS":"arn:aws:iam::AWS::AccountId:root" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument

I have tried varying the syntax for the AWS Principal's value:

• with and without quotation marks
• with and without square brackets

Where is the error in the Principal, and how can it be corrected?

Answer 1

We need to use Intrinsic functions !Sub for variables like AWS::Region, AWS::AccountId, AWS::StackName, etc

AWS: !Sub arn:aws:iam::${AWS::AccountId}:root