The situation
I am generating a KMS Key in CloudFormation. According to the KMS policy documentation, it is crucial to create a policy where the Principal is the account itself, in order for IAM policies to be able to grant access to the key.
The question
How can I create the ARN for the account root in CloudFormation?
For those who use YAML for their CloudFormation templates:
!Sub arn:aws:iam::${AWS::AccountId}:root
The answer
{  
   "Fn::Join":[  
      ":",
      [  
         "arn:aws:iam:",
         {  
            "Ref":"AWS::AccountId"
         },
         "root"
      ]
   ]
}
Why does this work?
First, let's examine the line, "Ref":"AWS::AccountId". This is a pseudo parameter reference, which is a fancy way of saying that it is a parameter that comes out of the box with CloudFormation. There are many such parameters. This one happens to give us the account ID, which is crucial for constructing the ARN.
Now, the rest is just the creation of an ARN using this account ID. Fn::Join is simply a CloudFormation built-in that allows concatenation of strings. This is crucial when combining references with string constants (or other references) as we are doing here.
The result is something like...
arn:aws:iam::123456789012:root
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With