504344 (14) [Avatar] Offline
#1
When copying presented solution into IAM policy creator and validate policy it returns:
"This policy contains the following error: There are invalid ARNs in the policy. For more information about the IAM policy grammar, see AWS IAM Policies. "

I already checked breaks when copy & paste but still error returns.

{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::myapp"],
"Condition":
{"StringLike":
{"s3:prefix": ["priv/${cognito-identity.amazonaws.com:sub}/*"]}
}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::myapp/priv/${cognito-identity.amazonaws.com:sub}/*"]
},
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::myapp"],
"Condition":
{"StringLike":
{"s3:prefix": ["pub/*"]}
}
},
{
"Action": ["s3:GetObject"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::myapp/pub/*"]
},
{
"Action": ["s3:PutObject"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::myapp/pub/${cognito-identity.amazonaws.com:sub}/*"]
},
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem"
],
"Resource": ["arn:aws:dynamodb:<regioon>:<account-id>:table/private-table"],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys":
["${cognito-identity.amazonaws.com:sub}"]
}
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query"
],
"Resource": ["arn:aws:dynamodb:<region>:<account-id>:table/shared-table"]
},
{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem"
],
"Resource": ["arn:aws:dynamodb:us-east-1:123456789012:table/shared-table"],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys":
["${cognito-identity.amazonaws.com:sub}"]
}
}
}
]
}
24997 (12) [Avatar] Offline
#2
You are right.

Replace

"Resource": ["arn:aws:dynamodb:us-east-1:123456789012:table/shared-table"],

by

"Resource": ["arn:aws:dynamodb:<region>:<account-id>:table/shared-table"]


I think we could also merge the 2 statements, but one thing at a time...

Hope this works for you.