I'm attempting to automate creation of some IAM policies (technically, these are KMS key policies, but I think that doesn't matter in this case) in Cloudformation in a way that is that avoids any real hard-coded strings. However, this entails a lot of Joins and References, and while I can validate that the yaml is well-formed and the stack will execute, it fails and the policy that is being generated is returning the MalformedPolicyDocument Exception.
Is it possible to have Cloudformation print or log the resultant policy it generates so that I can see what the discrepancy is?
Here's a small snippet, I've double-checked that the parameters referenced here are defined correctly:
- Sid: "Allow security roles in all accounts to encrypt data"
Effect: "Allow"
Principal:
AWS:
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref "AWS::AccountId"
- ':role/'
- !Ref SecurityRolePrefix
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref AdditionalAccount1
- ':role/'
- !Ref SecurityRolePrefix
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref AdditionalAccount2
- ':role/'
- !Ref SecurityRolePrefix
Action: "kms:GenerateDataKey*"
Resource: '*'
Fn::Sub has easier syntax than Fn::Join if you're joining with empty strings:
!Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${SecurityRolePrefix}
The CloudFormation Linter and its Visual Studio Code extension can help you debug while you write your template
You can also see the exact API calls CloudFormation made in CloudTrail
Some resources like EC2 and Lambda resources may also emit CloudWatch logs