I am currently writing a Cloud formation Template(CFT) for KMS (Key Management Services) where I want to give Key Administrative permissions and key usage permissions to users other than root. I want this to be called dynamically through the CFT. As of now, I am able to give root those permissions. Following is the policy:
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/KMSUser"
{
"Fn::Join": [
":",
[
"arn:aws:iam:",
{
"Ref": "AWS::AccountId"
},
"root"
]
]
}
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
How can I Get the arn and the username dynamically?
You can make use of Parameters.
Define a parameter for username
"Username": {
"Description": "Username details",
"Type": "String"
}
In the role name definition, point to the parameter instead of hardcoding it to root.
"Fn::Join": [
":",
[
"arn:aws:iam:",
{
"Ref": "AWS::AccountId"
},
{
"Ref": "Username"
}
]
]