The Author Online Book Forums are Moving

The Author Online Book Forums will soon redirect to Manning's liveBook and liveVideo. All book forum content will migrate to liveBook's discussion forum and all video forum content will migrate to liveVideo. Log in to liveBook or liveVideo with your Manning credentials to join the discussion!

Thank you for your engagement in the AoF over the years! We look forward to offering you a more enhanced forum experience.

504344 (14) [Avatar] Offline
#1
When copying presented solution into IAM policy creator and validate policy it returns:
"This policy contains the following error: There are invalid ARNs in the policy. For more information about the IAM policy grammar, see AWS IAM Policies. "

I already checked breaks when copy & paste but still error returns.

{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::myapp"],
"Condition":
{"StringLike":
{"s3:prefix": ["priv/${cognito-identity.amazonaws.com:sub}/*"]}
}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::myapp/priv/${cognito-identity.amazonaws.com:sub}/*"]
},
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::myapp"],
"Condition":
{"StringLike":
{"s3:prefix": ["pub/*"]}
}
},
{
"Action": ["s3:GetObject"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::myapp/pub/*"]
},
{
"Action": ["s3:PutObject"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::myapp/pub/${cognito-identity.amazonaws.com:sub}/*"]
},
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem"
],
"Resource": ["arn:aws:dynamodb:<regioon>:<account-id>:table/private-table"],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys":
["${cognito-identity.amazonaws.com:sub}"]
}
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query"
],
"Resource": ["arn:aws:dynamodb:<region>:<account-id>:table/shared-table"]
},
{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem"
],
"Resource": ["arn:aws:dynamodb:us-east-1:123456789012:table/shared-table"],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys":
["${cognito-identity.amazonaws.com:sub}"]
}
}
}
]
}
24997 (12) [Avatar] Offline
#2
You are right.

Replace

"Resource": ["arn:aws:dynamodb:us-east-1:123456789012:table/shared-table"],

by

"Resource": ["arn:aws:dynamodb:<region>:<account-id>:table/shared-table"]


I think we could also merge the 2 statements, but one thing at a time...

Hope this works for you.