I keep hitting circular dependency error in my cloudformation template and not sure how I can eliminate that. I am creating a user and attaching the IAMManagedPolicy2 to the user.
The policy allows the user to assume two roles, IAMRole and IAMRole2.
IAMRole2 requires defining the assume permission for the user. This is probably the reason why I am hitting the circular dependency in my case. Here is how my template looks like:
AWSTemplateFormatVersion: "2010-09-09"
Metadata:
Generator: "former2"
Description: ""
Resources:
IAMUser:
Type: "AWS::IAM::User"
Properties:
Path: "/"
UserName: "sysuser"
ManagedPolicyArns:
- !Ref IAMManagedPolicy2
IAMGroup:
Type: "AWS::IAM::Group"
Properties:
Path: "/"
GroupName: "Temp"
IAMManagedPolicy2:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: "UserAssumePolicy"
Path: "/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::*:role/${IAMRole}",
"arn:aws:iam::*:role/${IAMRole2}"
]
}
]
}
IAMRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
RoleName: "AddUserToGroupRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
AWS:
- !GetAtt IAMUser.Arn
Action:
- "sts:AssumeRole"
MaxSessionDuration: 3600
ManagedPolicyArns:
- !Ref IAMManagedPolicy3
Description: "Allows Adding users to group"
IAMRole2:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
RoleName: "AttachGroupPolicyRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
AWS:
- !GetAtt IAMUser.Arn
Service:
- "ec2.amazonaws.com"
Action:
- "sts:AssumeRole"
MaxSessionDuration: 3600
ManagedPolicyArns:
- !Ref IAMManagedPolicy
Description: ""
Tags:
-
Key: "event"
Value: "troopers"
IAMManagedPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: "AttachGroupPolicy"
Path: "/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:AttachGroupPolicy",
"Resource": [
"arn:aws:iam::*:group/${IAMGroup}"
]
}
]
}
IAMManagedPolicy3:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: "AddUserToGroup"
Path: "/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:AddUserToGroup",
"Resource": [
"arn:aws:iam::*:group/${IAMGroup}"
]
}
]
}
Can someone help me point out the changes to eliminate the circular dependency and get the template to work,
CodePudding user response:
Since you are hardcoding the role names (AddUserToGroupRole and AttachGroupPolicyRole), you must use the names directly to overcome the circular dependency problem:
IAMManagedPolicy2:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: "UserAssumePolicy"
Path: "/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::*:role/AddUserToGroupRole",
"arn:aws:iam::*:role/AttachGroupPolicyRole"
]
}
]
}