CloudFormation YAML - IAM policy with a statement that has a condition
Question
I have an IAM Policy that was created automatically when creating another resource in the AWS Console. I'm trying to add this into an existing CloudFormation stack.
The policy has the following statement, which contains a "Condition" property:
{
"Sid": "DecryptSecretValue",
"Action": [
"kms:Decrypt"
],
"Effect": "Allow",
"Resource": [
"arn:aws:kms:MyRegion:MyAccountId:key/4f402c6e-9624-40a4-8d4d-c0f2efe88602"
],
"Condition": {
"StringEquals": {
"kms:ViaService": "secretsmanager.eu-west-1.amazonaws.com"
}
}
}
How should this be structured in a CloudFormation YAML template? So far I have:
Statement:
- Effect: Allow
Action: kms:DecryptSecretValue
Resource: arn:aws:kms:MyRegion:MyAccountId:key/4f402c6e-9624-40a4-8d4d-c0f2efe88602
But I dont know how to include the "Condition" property. Any ideas?
1 answers
solution1
0 ACCPTED 2021-05-10 13:22:41
For each level of your json policy you add an indentation on yaml.
So Condition is on the same level of Effect , Resource and Action .
StringEquals is indented from Conditions .
kms:ViaService is indented from StringEquals .
As kms:ViaService has colon ( : ) in the name, you need to add it between quotes.
Statement:
- Effect: Allow
Action: "kms:DecryptSecretValue"
Resource: "arn:aws:kms:MyRegion:MyAccountId:key/4f402c6e-9624-40a4-8d4d-c0f2efe88602"
Condition:
StringEquals:
"kms:ViaService": "secretsmanager.eu-west-1.amazonaws.com"
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.