I am trying to add an IAM role to an already existing template that allows certain access to a bucket from an external source (snowflake)
RoleNameForAccess:
Type: AWS::IAM::Role
Properties:
RoleName: RoleNameForAccess
Description: A role that allows snowflake to access the bucket
Policies:
- PolicyName: 'SnowflakePolicyRole'
- PolicyDocument:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject
- s3:GetObject
- s3:GetObjectVersion
- s3:DeleteObject
- s3:DeleteObjectVersion
Resource: arn:aws:s3:::bucket-name/*
- Effect: Allow
Action: s3:ListBucket
Resource: arn:aws:s3:::bucket-name
Condition:
StringLike:
s3:prefix:
- "*"
but it keeps throwing errors:
Property PolicyDocument cannot be empty.
If I take the dash in Policy document, I get this error:
Value of property PolicyDocument must be an object
Maybe I am missing some syntax but can't find what it is.
Thanks
PolicyName and AssumeRolePolicyDocument were missing. Updated as per the user guide here. You may change Principal in the AssumeRolePolicyDocument section in the below updates as per your requirements.
RoleNameForAccess:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS:
- arn:aws:iam::111111111111:user/testuser
Action:
- 'sts:AssumeRole'
RoleName: RoleNameForAccess
Description: A role that allows snowflake to access the bucket
Policies:
- PolicyName: SnowflakePolicyRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject
- s3:GetObject
- s3:GetObjectVersion
- s3:DeleteObject
- s3:DeleteObjectVersion
Resource: arn:aws:s3:::bucket-name/*
- Effect: Allow
Action: s3:ListBucket
Resource: arn:aws:s3:::bucket-name
Condition:
StringLike:
s3:prefix:
- "*"