stackoom
  简体   繁体   中英

Resource must be in ARN format or "*"

 原文  2021-09-27 08:04:15       amazon-web-services/ amazon-cloudformation

Question

The following CloudFormation is validated and contains a SESAccessPolicy where some Parameters are passed.

Different Account IDs (for production: XXXXXXXXXXXXX and test: YYYYYYYYYYYYY)

Parameters:

  ProdEmailFromAddress:
    Type: String
    Description: "Email address to use as sender"
    Default: "arn:aws:ses:eu-west-1:XXXXXXXXXXXXX:identity/no-reply@company.no"

  TestEmailFromAddress:
    Type: String
    Description: "Email address to use as sender"
    Default: "arn:aws:ses:eu-west-1:YYYYYYYYYYYYY:identity/no-reply@companytest.no"

Conditions:
  IsProductionDeployment: !Equals [!Ref "AWS::AccountId", "XXXXXXXXXXXXX"]


SESAccessPolicy:
  Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: Permissions to send email from SES
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - "ses:SendEmail"
            Resource:
              - !If [IsProductionDeployment,!Ref ProdEmailFromAddress, !Ref TestEmailFromAddress]

When updating the Stack we get the following Error Event

Resource no-reply@companytest.no must be in ARN format or "*". (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 7af958ba-9c99-4073-a3b3-4da1b3ae80da; Proxy: null)

Although if i change the Resource at SESAccessPolicy from using a,Ref to a hardcoded String. it works and the stack is deployed.

Resource:
     - !If [IsProductionDeployment,!Ref ProdEmailFromAddress, "arn:aws:ses:eu-west-1:YYYYYYYYYYYYY:identity/no-reply@companytest.no" ]

I want to use the !Ref and cannot understand why it throws an exception but accepts a String as a ARN.

I have seen a webpage for troubleshooting this case with CloudTrail but cannot find it anymore.

Can someone shed some light into this or point me into the right direction? TIA

1 answers

solution1
 1  2021-09-27 09:29:45

We were able to fix it by changing the ARN in the Parameters section, and using a Join as below:

Parameters:

  ProdEmailFromAddress:
    Type: String
    Description: "Email address to use as sender"
    Default: "no-reply@company.no"

  TestEmailFromAddress:
    Type: String
    Description: "Email address to use as sender"
    Default: "no-reply@companytest.no"

  ...

  SESAccessPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: Permissions to send email from SES
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - "ses:SendEmail"
            Resource:
              - !Join [ "", [ !Sub "arn:aws:ses:eu-west-1:${AWS::AccountId}:identity/", !If [ IsProductionDeployment, !Ref ProdEmailFromAddress,!Ref TestEmailFromAddress ] ] ]

Thanks

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Unsupported Resource ARN In Policy Partition "" is not valid for resource arn::s3:::stackset Extract resource-id from ARN Invalid resource in copy source ARN - while copying between the same accesspoints Invalid parameter: ARN account () must match authenticated user.", How to use !ImportValue to get the resource arn using AWS SAM template How to reference a resource ARN in a cloudformation policy document ? (yaml) The ELB could not be updated due to the following error: Primary taskset target group must be behind listener arn:aws:elasticloadbalancing How do I add all resource arn's? Lambda Golang ListTags Assumed role python error is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxx
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM