Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Statement IDs (SID) must be alpha-numeric
See original GitHub issuecfn-lint version: cfn-lint 0.15.0
When creating a AWS::IAM::ManagedPolicy and using the Sid statement, cfn-lint is not detecting an invalidly-formed Sid statement
Please provide as much information as possible:
- Template linting issues:
- Please provide a CloudFormation sample that generated the issue.
ManagedPolicyCodeSuiteKmsKey:
Type: AWS::IAM::ManagedPolicy
Condition: CreateCodePipelineRole
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: Allow use of KMS key in Operations Production Account
Effect: Allow
Resource: !Sub 'arn:aws:kms::123123123123:key/*'
Action:
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:ReEncrypt*"
- "kms:GenerateDataKey*"
- "kms:DescribeKey"
- If present, please add links to the (official) documentation for clarification. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html#policies-grammar-notes-strings
sid_string
Provides a way to include information about an individual statement. For IAM policies, basic alphanumeric characters (A-Z,a-z,0-9) are the only allowed characters in the Sid value. Other AWS services that support resource policies may have other requirements for the Sid value. For example, some services require this value to be unique within an AWS account, and some services allow additional characters such as spaces in the Sid value.
-
Validate if the issue still exists with the latest version of
cfn-lintand/or the latest Spec files I do not know how to install latest version, I just ranpip install -
Feature request:
- My CloudFormation template fails to Create or Update because the Sid uses invalid characters, and cfn-lint does not detect that.
**NOTE: I have executed cfn-lint -u and it downloaded updates, but the problem remains.
Below is the output from CloudFormation:
The following resource(s) failed to update: [ManagedPolicyCodeSuiteKmsKey].
--
| 11:20:11 UTC+1000 | UPDATE_FAILED | AWS::IAM::ManagedPolicy | ManagedPolicyCodeSuiteKmsKey | Statement IDs (SID) must be alpha-numeric. Check that your input satisfies the regular expression [0-9A-Za-z]* (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: a632726a-42d2-11e9-8725-21992a944eb3)
Issue Analytics
- State:
- Created 5 years ago
- Reactions:5
- Comments:5 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Thank you for an awesome tool to use when developing and also for CI. Your issue template helped me create the issue so thanks.
It could help if we could only do this generically. Looking at just the extra allowed characters in the SID comment. I’m curious if that is just a service based policy instead of an identity based policy issue. If we know the type of services/resources that allow additional characters we may be able to come up with a rule that switches the REGEX based on the type of resource. The question may be is does every service that allow additional characters follow the same standards of what characters they allow.
The best way I’ve found to do this in the past is to deploy each service and see if they take a space or not. Or will build the construct of a rule that could be used for additional services/resources but just starts with ManagedPolicy as we know that one won’t work.