2

Error that I get when deployed a stack:

Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID:

That's my role policy that cause an error:

  roleEc2:
Type: AWS::IAM::Role
Properties:
  AssumeRolePolicyDocument:
    Version: "2012-10-17"
    Statement:
      -
        Effect: Allow
        Principal:
          Service:
            - 'ec2.amazonaws.com'
        Action:
            - 'sts:AssumeRole'
  Path: '/'
  Policies:
    -
      PolicyName: 'bucket-access'
      PolicyDocument:
        Version: '2012-10-17'
        Id: 'BucketPolicy'
        Statement:
        - Effect: Allow
          Action:
          - s3:ListBucket
          - s3:GetObject
          - s3:GetBucketLocation
          Resource:
          - arn:aws:s3:::code-dir
          - arn:aws:s3:::code-dir/*
          Principal: !Ref BucketPrincipal

And I don't know how to debug it, I don't know how to understand where is an error, what line number.

Lem
  • 151
  • 6
  • 16
  • root level of the document is a mapping. The first key of that is indented two spaces, the second key zero spaces. That is invalid, they all have to be indented the same amount. If you remove the space before `roleEc2`, and assuming a constructor for `!Ref` is available, this is valid YAML. – Anthon Aug 23 '18 at 10:41
  • Please refer to this: https://stackoverflow.com/questions/11854772/how-can-i-quickly-and-effectively-debug-cloudformation-templates – bhalothia Aug 23 '18 at 11:49

1 Answers1

5

(I know this is a year later but still...) A good tool I like to use is cfn-lint: https://github.com/aws-cloudformation/cfn-python-lint run this against your template and it will show you what you are doing wrong, on what line:

Issues in the code: didn't have first four lines, cannot have principal in IAM Policy (Last line).

---
AWSTemplateFormatVersion: '2010-09-09'
Description: AoD CloudFormation Template Detective Controls
Resources:
  roleEc2:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: Allow
            Principal:
              Service:
                - 'ec2.amazonaws.com'
            Action:
                - 'sts:AssumeRole'
      Path: '/'
      Policies:
        -
          PolicyName: 'bucket-access'
          PolicyDocument:
            Version: '2012-10-17'
            Id: 'BucketPolicy'
            Statement:
            - Effect: Allow
              Action:
              - s3:ListBucket
              - s3:GetObject
              - s3:GetBucketLocation
              Resource:
              - arn:aws:s3:::code-dir
              - arn:aws:s3:::code-dir/*
hgt
  • 66
  • 1
  • 3