Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

E3031: ManagedPolicyArns contains invalid characters... for a valid managed Policy

See original GitHub issue

cfn-lint version: 0.49.2

I’m getting this cfn-lint error for a sam-cli template:

[cfn-lint] E3031: ManagedPolicyArns contains invalid characters (Pattern: arn:(aws[a-zA-Z-]*)?:iam::(\d{12}|aws):policy/[a-zA-Z_0-9+=,.@\-_/]+) at Resources/MyFunctionRole/Properties/ManagedPolicyArns/4

specifically for the CloudWatchLambdaInsightsExecutionRolePolicy policy:

Resources:
  MyFunction:
    Type: AWS::Serverless::Function
    Properties:
    ...
      Policies:
        - AWSLambdaRole       # AWS Managed Role to allow Lambda invokation permissions
        - CloudWatchLambdaInsightsExecutionRolePolicy   # Lambda Insights

but that error is not applicable since this syntax works and is officially supported via the documentation: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-policies

where it states: This property accepts a single string or a list of strings, and can be the name of AWS managed policies or...

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:9 (4 by maintainers)

Top GitHub Comments

1reaction

thesuavehogcommented, Sep 10, 2021

I am experiencing this issue as well. Given that the the SAM templates work fine with this format

Policies:
  - AmazonElasticFileSystemClientReadWriteAccess
  - AWSLambdaVPCAccessExecutionRole

and given that this project’s goal is to identify issues with the CloudFormation YML, and this is obviously not an issue since the SAM YML translates and deploys fine, this should be considered a bug - and one that means I cannot use this tool in a validation pipeline to catch errors… which is kinda the point of this tool.

When I view the processed final template in the CloudFormation console, the YML format does not add the arn:aws:iam::aws:policy/ prefix but the JSON format does. I guess that means that the YML format is valid without the prefix.

Now, I’m not sure what the right fix is in the project code though since I presume the only values that are allowed that are String values not ARN values are those that are pre-defined AWS Policies. It seems high maintenance to include a fixed list of those policies but maybe that’s better than failing on them?

1reaction

kddejongcommented, Jun 18, 2021

When doing this in an account. This makes me think the SAM translator package is not doing the same as what is happening in actuality.

"ManagedPolicyArns": [
  "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
  "arn:aws:iam::aws:policy/service-role/AWSLambdaRole",
  "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
],

Top Results From Across the Web

Attach an IAM managed policy to an IAM role in AWS ...

To add an existing or new IAM managed policy to a new IAM role resource, use the ManagedPolicyArns property of resource type AWS::IAM::Role....

SUSE-IU-2021:6-1: Security update of suse-sles-15-sp1-chost ...

The following patches have been included in this update: ... Max JSON size to AWS::IAM::ManagedPolicy PolicyDocument * Add allowed values ...

Can EKS workers assume preexisting IAM role?

We run an EKS cluster that's built from a programmatically constructed Cloudformation template. Currently the worker template is close to https ...

https://raw.githubusercontent.com/aws-cloudformati...

... /main/docs/rules.md#W8003) to check if `Fn::Equals` will always be true or ... rule [E3031](https://github.com/aws-cloudformation/cfn-python-lint/blob/ ...

Need help with IAM roles/policies in Cloudformation - Reddit

I have an IAM role that is described in my Cloudformation config, and I am trying to attached two custom managed policies, as...