I have an IAM Policy that was created automatically when creating another resource in the AWS Console. I'm trying to add this into an existing CloudFormation stack.
The policy has the following statement, which contains a "Condition" property:
{
"Sid": "DecryptSecretValue",
"Action": [
"kms:Decrypt"
],
"Effect": "Allow",
"Resource": [
"arn:aws:kms:MyRegion:MyAccountId:key/4f402c6e-9624-40a4-8d4d-c0f2efe88602"
],
"Condition": {
"StringEquals": {
"kms:ViaService": "secretsmanager.eu-west-1.amazonaws.com"
}
}
}
How should this be structured in a CloudFormation YAML template? So far I have:
Statement:
- Effect: Allow
Action: kms:DecryptSecretValue
Resource: arn:aws:kms:MyRegion:MyAccountId:key/4f402c6e-9624-40a4-8d4d-c0f2efe88602
But I dont know how to include the "Condition" property. Any ideas?
For each level of your json policy you add an indentation on yaml.
So Condition
is on the same level of Effect
, Resource
and Action
.
StringEquals
is indented from Conditions
.
kms:ViaService
is indented from StringEquals
.
As kms:ViaService
has colon ( :
) in the name, you need to add it between quotes.
Statement:
- Effect: Allow
Action: "kms:DecryptSecretValue"
Resource: "arn:aws:kms:MyRegion:MyAccountId:key/4f402c6e-9624-40a4-8d4d-c0f2efe88602"
Condition:
StringEquals:
"kms:ViaService": "secretsmanager.eu-west-1.amazonaws.com"
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.