Another non-sensical Policy Document error message in CloudFormation
I may have written about this before but this one of the worst error messages for Policy Documents in existence. How is an end user reading this error message supposed to know what to do with this?
The policy failed legacy parsing (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: xxx; Proxy: null)
This error message occurred because I failed to use a sub in my policy when using an AWS pseudo parameter. That’s it. Here’s the policy:
Instead of this:
Resource:
– !Sub ‘arn:aws:iam::${AWS::AccountID}:role/Lambda*’
– !Sub ‘arn:aws:iam::${AWS::AccountID}:role/Batch*’
I had this:
Resource:
– ‘arn:aws:iam::${AWS::AccountID}:role/Lambda*’
– ‘arn:aws:iam::${AWS::AccountID}:role/Batch*’
One thing I wonder is, why do we need the sub at all? Can’t AWS tell that it needs to substitute something when it runs across ${ ??
Anyway, that’s at least one fix if you see: “The policy failed legacy parsing” while deploying a CloudFormation template.
Teri Radichel
If you liked this story please clap and follow:
Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research
© 2nd Sight Lab 2022
____________________________________________
Author:
Cybersecurity for Executives in the Age of Cloud on Amazon
Need Cloud Security Training? 2nd Sight Lab Cloud Security Training
Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.
Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.
Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts
The policy failed legacy parsing was originally published in Bugs That Bite on Medium, where people are continuing the conversation by highlighting and responding to this story.