Possible to attach customer-managed policies?

[dinvlad]

Hi @sanathkr,

The spec says that Policies can be a string | List of string equal to Names of AWS managed IAM policies. Are there any plans to enable reuse of existing customer-managed policies in SAM templates?

Thanks

EDIT: Please ignore my earlier use case for this regarding separation of concerns. It looks like that's better addressed by Approvals in CodePipeline. I'm keeping this question open now just out of curiosity.

[sanathkr]

You can set Policies to be your IAM Managed Policy ARN. It will work even if the ARN points to a custom managed policy. I guess this needs an example and clarification in the spec

[dinvlad]

Thanks, in my tests these policies did not work! I.e. I created them in another template and passed their names as parameters to a SAM template, then referenced these parameters in 'Policies'. The roles created by SAM appear to ignore these, and only attach AWSLambdaBasicExecutionRole and no inline policies, which is why I'm interested if that is supported.

[heitorlessa]

@dinvlad would you mind sharing the template you're trying to work on?

I've just locally modified and re-run the encryption proxy example adding a custom IAM policy and it worked just fine for me -- IAM Role sample below:

    EncryptionServiceIAMRole:
        Type: "AWS::IAM::Role"
        Properties:
            Path: "/"
            ManagedPolicyArns:
                - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
                - "arn:aws:iam::<account_number>:policy/PHD-FullAccess-WideOrg" # customer managed policy
            AssumeRolePolicyDocument:
              Version: "2012-10-17"
              Statement:
                -
                  Sid: "AllowLambdaServiceToAssumeRole"
                  Effect: "Allow"
                  Action: 
                    - "sts:AssumeRole"
                  Principal:
                    Service: 
                      - "lambda.amazonaws.com"

After deployment, I ran the following command to confirm that policy got attached to this Role:

$ aws iam list-attached-role-policies --role-name "encryption-proxy-IAM-EncryptionServiceIAMRole-1UN7Z5T13JN9C"

{
    "AttachedPolicies": [
        {
            "PolicyName": "AWSLambdaBasicExecutionRole",
            "PolicyArn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
        },
        {
            "PolicyName": "PHD-FullAccess-WideOrg",
            "PolicyArn": "arn:aws:iam::<account_number>:policy/PHD-FullAccess-WideOrg"
        }
    ]
}

[dinvlad]

Hi @heitorlessa,

The example above is different, because it's passing a role instead of a policy. I was more interested in passing the policies directly, like so (though irl using a separate template to export policy names):

Resources:
  CustomerManagedPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      PolicyName: CustomerManagedPolicy
      PolicyDocument: 
        Version: 2012-10-17
        Statement: 
          - Effect: Allow
            Action: ec2.describeInstances
            Resource: '*'

  CustomerFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: handler.index
      Runtime: nodejs4.3
      Policies: CustomerManagedPolicy

Hope that makes sense.

Best

[ctison]

Hi,

I have a problem which seems related.

I have a first stack which contains an AWS::SNS::Topic and an AWS::IAM::ManagedPolicy.
This stack exports the ARN of both resources.

Resources:
    Topic:
        Type: AWS::SNS::Topic
    Policy:
        Type: AWS::IAM::ManagedPolicy
        Properties:
            PolicyDocument:
                Version: 2012-10-17
                Statement:
                    - Effect: Allow
                      Action: sns:Publish
                      Resource: !Ref Topic
Outputs:
    TopicARN:
        Value: !Ref Topic
        Export:
            Name: TopicARN
    PolicyARN:
        Value: !Ref Policy
        Export:
            Name: TopicPolicyARN

And the second stack contains an AWS::Serverless::Function.

Resources:
    Function:
        Type: AWS::Serverless::Function
        Properties:
            Runtime: python2.7
            CodeUri: lambda.zip
            Handler: lambda.handler
            Policies: !ImportValue TopicPolicyARN

When I deploy this stack, no error, but the policy is not appended to the default created role.
But if I manually put an ARN, it works.

[dinvlad]

+1, that's how I was trying to do it in a real scenario. Though shouldn't it be policy Name instead of ARN (according to the spec)?

[sanathkr]

@dinvlad You can use the custom policy name in here. IAM wants managed policy's ARN. SAM tries to convert AWS managed policy names to ARNs, but it doesn't know about your custom policies. When #22 is fixed, you can do something like Policies: !GetAtt YourManagedPolicy.Arn.

@chtison Again, due to #22 !ImportValue will not work.

Sorry for the problems. We are working on getting #22 done which will unblock a lot of usecases. Hang on tight until then :-)

[dinvlad]

Got it, sounds good, thanks! Closing in favor of #22

[seanmcro]

Now that #22 is completed, is this issue still valid? I've tried using !Sub MyManagedPolicy.Arn and !Sub MyManagedPolicy.ManagedPolicyName and neither seems to be working. The stack creation succeeds, but the generated lambda role doesn't have MyManagedPolicy attached.

[jfuss]

@seanmcro I am not understanding what you are asking.

Can you add snippets of your template?

[seanmcro]

Sure. Based on @sanathkr's response above, I expected the following to work (but it doesn't):

Resources:
  MyManagedPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: MyManagedPolicy
      PolicyDocument: 
        Version: 2012-10-17
        Statement: 
          - Effect: Allow
            Action: s3:*
            Resource: 
              - Fn::Sub: "${MyS3Bucket.Arn}"

  MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: <<handler>>
      Runtime: <<runtime>>
      Policies: 
      - AWSLambdaExecute
      - Fn::Sub: "${MyManagedPolicy.Arn}"

I expected the IAM role generated by SAM for MyFunction to have both of the above managed policies attached to it (i.e. AWSLambdaExecute and MyManagedPolicy), but the role only has AWSLambdaExecute attached. What's even more confusing is that SAM processes the template without emitting an error, so I thought it succeeded...only to go in later to the IAM console and find that MyManagedPolicy wasn't attached to the role.

[martinwangjian]

following template works for me:

Resources:
  MyManagedPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: MyManagedPolicy
      PolicyDocument: 
        Version: 2012-10-17
        Statement: 
          - Effect: Allow
            Action: s3:*
            Resource: *

  MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: <<handler>>
      Runtime: <<runtime>>
      Policies: 
        - AWSLambdaExecute
        - !Ref MyManagedPolicy

[AJM10565]

I've tried to follow the pattern setup above by @martinwangjian but when I run sam validate with the --lint option it tells me
E1012 Ref AthenaAccessPolicy not found as a resource or parameter
for

Resources:
  AthenaAccessManagedPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: !Sub 'privacy-ti-athena-access-${env}${canarySuffix}-${AWS::Region}-policy'
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - athena:GetWorkGroup
              - athena:GetTableMetadata
              - athena:StartQueryExecution
              - athena:GetQueryResults
              - athena:GetDatabase
              - athena:GetDataCatalog
              - athena:ListQueryExecutions
              - athena:ListDatabases
              - athena:GetQueryExecution
              - athena:ListTableMetadata
            Resource:
              - !Sub 'arn:aws:athena:*:${AWS::AccountId}:datacatalog/AwsDataCatalog'

Is managing custom managed policies from sam templates no longer supported?
I created a stackoverflow question for this topic: https://stackoverflow.com/questions/78451680/correct-syntax-for-a-sam-template-customer-managed-policy