Wondering why CloudFormation doesn’t use the same policy validation logic as the AWS Console
This one really bites. I was spinning my wheels on it for a while. I deployed policy for a role that allows it to only act on certain CloudFormation stacks. The policy deployed without error in CloudFormation.
Then, while trying to run actions on the CloudFormation stacks with my role, I kept getting errors that I didn’t have permissions to run DescribeStacks on a particular stack. I was staring at the policy over and over and reviewing a stack ARN character for character to make sure I didn’t have an error in the ARN for the CloudFormation stacks and it looked OK.
I reviewed the policy in the console and in my code and it was driving me a bit nuts.
Finally, I thought just for a test I’ll manually make some change to the policy to see if it works. When I went to edit the Policy in the AWS Console, the IAM policy editor immediately told me that I had an error.
I had spelled CloudForamtion wrong! I wrote this:
Instead of this:
OK so sure, I need glasses. It’s true. However, it seems that if the AWS Console can spot the error, then probably CloudFormation can too. Don’t different groups at AWS share validation routines via an API call to the “owner” of the resource?
I would expect that the CloudFormation team could make an API call to the IAM team for policy validation and the results would be the same in either case.
Shouldn’t that just be a rule at AWS since the owner of the resource should know best how to validate it? And other teams can recommend changes the validation rules via a fork instead of rolling their own?
Too much wasted time on all these little bugs!
If you liked this story please clap and follow:
Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research
© 2nd Sight Lab 2022
Need Cloud Security Training? 2nd Sight Lab Cloud Security Training
Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts