Geek Answers Handbook

Cloud information on how to reference a managed policy from another stack

I have the following role. From inside, I want to use an existing managed policy from another stack.

How can i do this?

"TestRole": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" ] } } ], "Version": "2012-10-17" }, "Path": "/lambda/", "Policies": [ ?????? ] }, "Type": "AWS::IAM::Role" }
+7
amazon-iam amazon-cloudformation
source share
2 answers

There, a method is now supported using Import / Export . Basically, the stack that creates the policy has an output containing the name of the policy (or ARN, not sure what is needed in this case), and declares it as an export with a regional unique name. Other stacks can then consume it using the import function.

For example, if the next stack (let's say it's called FooStack) creates a managed policy, it might have the following in its output:

 "Outputs" : { "MyManagedPolicy" : { "Value" : { "Ref" : "MyManagedPolicy" }, "Export" : { "Name" : {"Fn::Sub": "${AWS::StackName}-MyManagedPolicy" }} } }

Another stack may use it:

 "Policies": [ { "Fn::ImportValue" : "FooStack-MyManagedPolicy" } ]
+1
source share

According to the docs of the Ref CF function, you should be able to use this to get a managed policy resource through its logical name.

For example:

 Policies: [ { "Ref" : "MyManagedPolicy" } ]

where " MyManagedPolicy " will be the name of the resource defined in your CF template:

 "MyManagedPolicy" : { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "Description" : String, "Groups" : [ String, ... ], "Path" : String, "PolicyDocument" : JSON object, "Roles" : [ String, ... ], "Users" : [ String, ... ] } }

Hope this helps?

0
source share

More articles:


All Articles