Login/Register
AWS IAM Cloudformation YAML template errror: 'null' values are not allowed
Asked Answered
Solved amazon-web-servicesaws-cloudformationamazon-iam
C

4

16

I am working on a Cloudformation template for an IAM role that grants cross account read only access. It uses a managed policy for Readonly access as well. So far, I've resolved several errors, but now I'm getting a "'null' values are not allowed in templates" error when I try to validate the template. I think it's a space or syntax thing, but I cannot be sure as it's my first time creating a cloudformation template from scratch and using YAML.

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template IAM Role for New Relic to have read access to AWS account
Resources:
  NewRelicInfrastructure-IntegrationsRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
      Version: '2012-10-17'
      Statement:
        Effect: Allow
        Principal:
          AWS: 11111111
        Action: sts:AssumeRole
        Condition:
          StringEquals:
          sts:ExternalId: '11111'
  Path: '/'
  ManagedPolicyArns: arn:aws:iam::aws:policy/ReadOnlyAccess
  RoleName: NewRelicInfrastructure-Integrations2
Cupule answered 15/3, 2018 at 21:23 Comment(0)
C
2

Indentation fixed, it was specifying something in AssumeRolePolicyDocument, but the YAML syntac wasn't correct, this worked:

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template IAM Role for New Relic to have read access to AWS account
Resources:
  NewRelicInfrastructureIntegrationsRole: 
    Type: AWS::IAM::Role
    Properties:
      Path: '/managed/'
      ManagedPolicyArns: 
        - 'arn:aws:iam::aws:policy/ReadOnlyAccess'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - 
          Action: sts:AssumeRole  
          Effect: Allow
          Principal:
            AWS: 1111111111111
          Condition:
            StringEquals:
              sts:ExternalId: '11111'
      RoleName: NewRelicInfrastructureIntegrationsRole
Cupule answered 23/3, 2018 at 2:30 Comment(1)
In case anyone comes along later looking for a solution to the same kind of issue, see the answer below by kichik. It's much more clear in the explanation of why there was a problem, and the solution doesn't require the ugly and unnecessary blank-line-with-hyphen that this answer has after "Statement:".Spermine
E
15

The problem is with AssumeRolePolicyDocument:. It's required but you left it empty. You also have an indentation issue where Path, ManagedPolicyArns and RoleName are under Resources instead of Properties.

Try:

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template IAM Role for New Relic to have read access to AWS account
Resources:
  NewRelicInfrastructure-IntegrationsRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          Effect: Allow
          Principal:
            AWS: 11111111
          Action: sts:AssumeRole
          Condition:
            StringEquals:
            sts:ExternalId: '11111'
      Path: '/'
      ManagedPolicyArns: arn:aws:iam::aws:policy/ReadOnlyAccess
      RoleName: NewRelicInfrastructure-Integrations2
Earsplitting answered 15/3, 2018 at 21:56 Comment(1)
I know this is way old and way overdue, but good answer. Pity the original posted ignored you and used his own ugly-but-workable solution. You deserved the credit :)Spermine
B
3

Use YAML interpreter online to show you where you might be getting a null value in your yaml file. They're hard to spot as a wrong indentation can result in a null value - the yaml interpreter will show you in json where you're getting that value.

Bascio answered 24/3, 2020 at 17:59 Comment(0)
C
2

Indentation fixed, it was specifying something in AssumeRolePolicyDocument, but the YAML syntac wasn't correct, this worked:

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template IAM Role for New Relic to have read access to AWS account
Resources:
  NewRelicInfrastructureIntegrationsRole: 
    Type: AWS::IAM::Role
    Properties:
      Path: '/managed/'
      ManagedPolicyArns: 
        - 'arn:aws:iam::aws:policy/ReadOnlyAccess'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - 
          Action: sts:AssumeRole  
          Effect: Allow
          Principal:
            AWS: 1111111111111
          Condition:
            StringEquals:
              sts:ExternalId: '11111'
      RoleName: NewRelicInfrastructureIntegrationsRole
Cupule answered 23/3, 2018 at 2:30 Comment(1)
In case anyone comes along later looking for a solution to the same kind of issue, see the answer below by kichik. It's much more clear in the explanation of why there was a problem, and the solution doesn't require the ugly and unnecessary blank-line-with-hyphen that this answer has after "Statement:".Spermine
Y
0

PyCharm adds a dash after certain lines like the following:

  - !Equals
    - !Ref 'AWS::Region'
    - us-west-2
    -

I just changed it to look like this and it worked:

  - !Equals
    - !Ref 'AWS::Region'
    - us-west-2
Ylla answered 12/6, 2024 at 15:29 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.