![IAM Policy At least one of [Groups,Roles,Users] must be non-empty](https://cloudkatha.com/wp-content/uploads/2021/07/IAM-Policy-At-least-one-of-GroupsRolesUsers-must-be-non-empty.png)
Error Message :
At least one of [Groups,Roles,Users] must be non-empty
Problem:
When you try to create an IAM policy using AWS::IAM::Policy and you don’t specify a user, group or role you want to apply this policy to.
In other words, if you try to create a standalone IAM policy using AWS::IAM::Policy resource, you get above error.
For example, I tried creating an IAM policy using below template
AWSTemplateFormatVersion: 2010-09-09
Description: AWS CloudFormation Template to create IAM Policy
Resources:
StandAlonePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: "standalone-s3-policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Resource: "*"
Action:
- "s3:Get*"My Stack Creation Failed With Below Error !!!
At least one of [Groups,Roles,Users] must be non-empty
![At least one of [Groups,Roles,Users] must be non-empty](https://i0.wp.com/cloudkatha.com/wp-content/uploads/2021/07/At-least-one-of-GroupsRolesUsers-must-be-non-empty.jpg?resize=874%2C478&ssl=1)
What is the problem with above template?
A resource of type AWS::IAM::Policy adds or updates an inline policy document that is embedded in the specified IAM user, group, or role.
An IAM Policy resource looks like below-
Type: AWS::IAM::Policy
Properties:
Groups:
- String
PolicyDocument: Json
PolicyName: String
Roles:
- String
Users:
- StringIn the properties section there are few mandatory properties which you must specify like-
- PolicyName
- PolicyDocument
- Any one of [Users , Groups, Roles]
We have provided PolicyName and PolicyDocument but we didn’t provide any one of Users/Groups/Roles so our stack creation failed.
Moral of the story is that, AWS::IAM::Policy is not meant to create a standalone policy. It always adds an inline policy which can not exist on it’s own and must be part of a user, group or role.
Solution:
Well, You might have guessed by now that, there can be two ways to think about solution depending on what you are trying to do.
- Are you trying to create a standalone IAM policy without attaching it to any role, user or group?
- Are you trying to create an Inline Policy for your User/Group/Role
For above two question solution 1 and solution 2 are mentioned respectively
Solution 1: Create a Standalone IAM Policy using AWS::IAM::ManagedPolicy
As I already said, AWS::IAM::Policy is for creating inline policies and inline policies must be part of a user/group or role. So for creating a standalone IAM policy use AWS::IAM::ManagedPolicy resource like below and you should be good to go.
AWSTemplateFormatVersion: 2010-09-09
Description: AWS CloudFormation Template to create IAM Policy
Resources:
StandAlonePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: Managed policy to allow s3 access
Path: /
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "s3:Get*"
Resource: "*"Solution 2: Attach the Policy to a group, user or role
If you are trying to create an inline policy and you missed user, group or role by mistake, specify user, group or role you want to attach this policy to.
for example, I modified template to create a group and add this policy to group and it worked perfectly fine
AWSTemplateFormatVersion: 2010-09-09
Description: AWS CloudFormation Template to create IAM Policy
Resources:
StandAlonePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: Managed policy to allow s3 access
Path: /
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "s3:Get*"
Resource: "*"
Groups:
- !Ref DemoGroup
DependsOn: DemoGroup
DemoGroup:
Type: AWS::IAM::GroupI hope you were able to solve the issue. If not, please let me know what exactly you are facing. We might be able to help you.
Enjoyed the content?
Subscribe to our newsletter below to get awesome AWS learning materials delivered straight to your inbox.
Don’t forget to motivate me by-
- Adding a comment below on what you liked and what can be improved.
- Follow us on
- Share this post with your friends
Suggested Read:
- Create a DynamoDB table using CloudFormation
- 5 Ways to Create and Manage your AWS Resources
- AWS S3 Storage Classes: Everything you need to know
- How to Create an EC2 instance in an existing VPC using CloudFormation
- Attach an IAM role to an EC2 instance using CloudFormation
- How to create an S3 bucket using CloudFormation
- Understand IAM PassRole to Secure Your AWS Infrastructure
- Understand IAM PassRole to Secure your AWS Infrastructure
- Serverless Services on AWS with Explanation