The following CloudFormation is validated and contains a SESAccessPolicy where some Parameters are passed.
Different Account IDs (for production: XXXXXXXXXXXXX and test: YYYYYYYYYYYYY)
Parameters:
ProdEmailFromAddress:
Type: String
Description: "Email address to use as sender"
Default: "arn:aws:ses:eu-west-1:XXXXXXXXXXXXX:identity/no-reply@company.no"
TestEmailFromAddress:
Type: String
Description: "Email address to use as sender"
Default: "arn:aws:ses:eu-west-1:YYYYYYYYYYYYY:identity/no-reply@companytest.no"
Conditions:
IsProductionDeployment: !Equals [!Ref "AWS::AccountId", "XXXXXXXXXXXXX"]
SESAccessPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: Permissions to send email from SES
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "ses:SendEmail"
Resource:
- !If [IsProductionDeployment,!Ref ProdEmailFromAddress, !Ref TestEmailFromAddress]
When updating the Stack we get the following Error Event
Resource no-reply@companytest.no must be in ARN format or "*". (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 7af958ba-9c99-4073-a3b3-4da1b3ae80da; Proxy: null)
Although if i change the Resource at SESAccessPolicy from using a,Ref to a hardcoded String. it works and the stack is deployed.
Resource:
- !If [IsProductionDeployment,!Ref ProdEmailFromAddress, "arn:aws:ses:eu-west-1:YYYYYYYYYYYYY:identity/no-reply@companytest.no" ]
I want to use the !Ref and cannot understand why it throws an exception but accepts a String as a ARN.
I have seen a webpage for troubleshooting this case with CloudTrail but cannot find it anymore.
Can someone shed some light into this or point me into the right direction? TIA
We were able to fix it by changing the ARN in the Parameters section, and using a Join as below:
Parameters:
ProdEmailFromAddress:
Type: String
Description: "Email address to use as sender"
Default: "no-reply@company.no"
TestEmailFromAddress:
Type: String
Description: "Email address to use as sender"
Default: "no-reply@companytest.no"
...
SESAccessPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: Permissions to send email from SES
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "ses:SendEmail"
Resource:
- !Join [ "", [ !Sub "arn:aws:ses:eu-west-1:${AWS::AccountId}:identity/", !If [ IsProductionDeployment, !Ref ProdEmailFromAddress,!Ref TestEmailFromAddress ] ] ]
Thanks
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.