Politicization failed
I am trying to create an IAM role on AWS, but while I am creating I am facing the error
"While processing your request, we encountered the following errors: Permission problem for the role. The role will be created without permission. Politicization failed in parsing."
{"Version": "2012-10-17", "Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Action": [
"sqs:SendMessage",
"sqs:GetQueueUrl"
],
"Effect": "Allow",
"Resource": "arn:aws:sqs:ap-northeast-1:SOME_ID_HERE:test-messages"
}]}
source to share
I got this error and couldn't figure it out. A colleague and I poured it over, and then we noticed that I left the substitution variable without Fn::Sub
, for example
"Resource": "arn:aws:logs::${AWS::AccountId}:*
will throw this error, and of course there should be
"Resource": { "Fn::Sub": "arn:aws:logs::${AWS::AccountId}:*" }
By the way, in my experience, I agree with EJ Brennan above, you cannot use a wildcard for the region, instead leave this field blank as I did there.
source to share
I don't think you can fit the region in arn, so you might need something like this:
arn:aws:logs:us-east-1:*:*
where you indicate the region that you are using instead of us - east-1.
More information here:
http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-cloudwatch-logs
source to share
One of the problems that can arise is cloud listening logs. ARNS can be 6 characters long because there is additional information between the log group and the log stream. For example:
"Resource": "arn:aws:logs:us-west-2:123456789012:/my/log/group:log-stream"
or for your case:
"Resource": "arn:aws:logs:*:*:*:*
I found that some ARNS like the more specific example above give this error if 6th: is not added. I understand this is contrary to the docs (including the doc provided by EJ), so it might be a bug in AWS somewhere
http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html
source to share
I think you could do
"Resource": "arn:aws:logs:us-west-2:123456789012:*"
but if not, you can map your region accounts to display:
"mAWSRegionToAccountsMap": {
"us-west-2": {
"prod": "444444444673",
"dev": "678333333333"
},
"us-gov-west-1": {
"dev": "12345678903",
"prod": "234345345345"
}
}
Then we will integrate the display into the union using the ":" separator for the separator
"Resource": {
"Fn::Join": [
":",
[
"arn:aws:logs",
{
"Ref": "AWS::Region"
},
{
"Fn::FindInMap": [
"mAWSRegionToAccountsMap", {
"Ref": "AWS::Region"
},
"prod"
]
},
"/*"
]
]
}
You may need to change the ending
source to share
A funny new error state I found today:
If a:
- you have CFN template where you provide account id via parameter
- And you use prop by
Default
for parameter to provide account id - And the account id starts with
0
CFN will actually read the parameter as an integer (and cast it to type 9.3476294382E10) - regardless of whether you have it Type: String
in the parameter, or use !!str
to cast it explicitly.
So the solution is to manually provide the parameter for deployment instead of using the value by Default: "093476294382"
.
Hope I can save someone else.
source to share