Coexistence of Pseudo-Parameter and Policy Variables

I created an IAM group in CloudFormation using the code below.
${aws:username} used the available request information for the IAM policy element policy variables on the link below.

Is there a way to use variables instead of literal for AWS AccountId?

I tried the following, but none of them worked.

Resource: "arn:aws:iam::${aws:userid}:user/${aws:username}"
The policy variable may be because IAM users return a unique ID instead of an AWS account, but they did not know how to verify it.

Resource:!Sub"arn:aws:iam::${AWS::AccountId}:user/${aws:username}"
I used the ClodFormation pseudo parameter, but I got an error because it has the same ${} notation as the policy variable.

Type: "AWS::IAM::Group"
Properties:
  GroupName: "Users"
  Policies:
    - PolicyName—group-user-policy
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect—Allow
            Action:
              - "iam: GetAccountPasswordPolicy"
            Resource: "*"
          - Effect—Allow
            Action:
              - "iam: ChangePassword"
            Resource: !Sub "arn:aws:iam::1234567890:user/${aws:username}"

aws aws-cloudformation aws-iam

2022-09-30 19:30

1 Answers

I think it is possible to use the CloudFormation Fn::Join function.

Fn::Join-AWS CloudFormation

cfn-iam-group.yml

AWSTemplateFormatVersion: "2010-09-09"
Description:Asample template
Parameters:
  IAMUserArn:
    Type: String
    Default: arn:aws:iam::1234567890:user/user-name

Resources:
  IAMGroup:
    Type: "AWS::IAM::Group"
    Properties:
      GroupName: "Users"
      Policies:
        - PolicyName—group-user-policy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect—Allow
                Action:
                  - "iam: GetAccountPasswordPolicy"
                Resource: "*"
              - Effect—Allow
                Action:
                  - "iam: ChangePassword"
                Resource: !Join
                  - ''
                  - - 'arn:aws:iam::'
                    - !Sub"${AWS::AccountId}:"
                    - 'user/${aws:username}'

aws cloud information deploy
    --template-file./cfn-iam-group.yml 
    -- stack-name cfn-iam-group 
    --capabilities CAPABILITY_NAMED_IAM 
    --parameter-overrides IAMUserArn="arn:aws:iam::1234567890:user/user-name"

Fn::JoinConnect string arrays given by the function
See pseudo-parameter AWS::AccountId using the Fn::Sub function for elements in the array

The IAM Group has been created and we have verified that the following policies are attached:

2022-09-30 19:30

If you have any answers or tips

Popular Tags

python x 4647

android x 1593

java x 1494

javascript x 1427

c x 927

c++ x 878

ruby-on-rails x 696

php x 692

python3 x 685

html x 656