Unable to write policy document in aws cdk using python

42
December 10, 2019, at 10:30 PM

Hi I am working on AWS CDK. I am trying to create policy. Below is my code.

MWSECSServiceRole = iam.Role(self, 'MWSECSServiceRole',
          assumed_by=iam.ServicePrincipal('ecs.amazonaws.com'))
        MWSECSServiceRole.add_to_policy(iam.PolicyStatement(
        effect=iam.Effect.ALLOW,
        resources=["arn:aws:elasticloadbalancing:*:{AccountId}:loadbalancer/app/mws-*","arn:aws:elasticloadbalancing:*:{AccountId}:listener-rule/app/mws-*","arn:aws:elasticloadbalancing:*:{AccountId}:listener/app/mws-*","arn:aws:elasticloadbalancing:*:{AccountId}:targetgroup/mws-*"],
        actions=["elasticloadbalancing:DeregisterInstancesFromLoadBalancer","elasticloadbalancing:DeregisterTargets","elasticloadbalancing:RegisterInstancesWithLoadBalancer","elasticloadbalancing:RegisterTargets"]
        ))
        MWSECSServiceRole.add_to_policy(iam.PolicyStatement(
        effect=iam.Effect.ALLOW,
        resources=["*"],
        actions=["ec2:AuthorizeSecurityGroupIngress","ec2:Describe*","elasticloadbalancing:Describe*"]
        ))

Which will generate below cloud formation template.

MWSECSServiceRoleDefaultPolicyD5E258B0:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
              - elasticloadbalancing:DeregisterTargets
              - elasticloadbalancing:RegisterInstancesWithLoadBalancer
              - elasticloadbalancing:RegisterTargets
            Effect: Allow
            Resource:
              - arn:aws:elasticloadbalancing:*:{AccountId}:loadbalancer/app/mws-*
              - arn:aws:elasticloadbalancing:*:{AccountId}:listener-rule/app/mws-*
              - arn:aws:elasticloadbalancing:*:{AccountId}:listener/app/mws-*
              - arn:aws:elasticloadbalancing:*:{AccountId}:targetgroup/mws-*
          - Action:
              - ec2:AuthorizeSecurityGroupIngress
              - ec2:Describe*
              - elasticloadbalancing:Describe*
            Effect: Allow
            Resource: "*"
        Version: "2012-10-17"
      PolicyName: MWSECSServiceRoleDefaultPolicyD5E258B0
      Roles:
        - Ref: MWSECSServiceRole966AC1F9
    Metadata:
      aws:cdk:path: LocationCdkStack-cdkstack/MWSECSServiceRole/DefaultPolicy/Resource

When I try to deploy It throws below error.

The policy failed legacy parsing (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: e54462f7-f0bc-4a8c-9ec4-9530125113ec)

Can someone help me to identify this issue? Any help would be appreciated. Thanks

Answer 1

I suggest you build your ARN using Stack.format_arn:

my_resource = core.Stack.of(self).format_arn(
  service="elasticloadbalancing",
  resource="loadbalancer",
  resource_name="app/mws-*"
)

See also ARN Manipulation.

Alternatively you can concatenate string and use core.Stack.of(self).account:

my_resource = "arn:aws:elasticloadbalancing:*:" + core.Stack.of(self).account + ":loadbalancer/app/mws-*"
READ ALSO
How to use regex to extract a number from a URL using pandas

How to use regex to extract a number from a URL using pandas

I'm at a stage to extract the page number from a URL which I got from web scrapingThis page number I will use to make a loop

23
How can I make this query in Django?

How can I make this query in Django?

I have theese fields(test_type, status, begin_time, and_time)The status field has three state(0, 1 or 2)

44
AttributeError: __exit__ while after conversion from Python2 to Python3

AttributeError: __exit__ while after conversion from Python2 to Python3

I am using python's warning module with "with" statement :

47
Initial data creation fails with data migration

Initial data creation fails with data migration

It's my intent to create some initial model instances through a data migration with some JSON dataUpon calling json

38