IAM Policy: At least one of [Groups,Roles,Users] must be non-empty

IAM Policy At least one of [Groups,Roles,Users] must be non-empty
Sharing is Caring:

Error Message :

At least one of [Groups,Roles,Users] must be non-empty

Problem:

When you try to create an IAM policy using AWS::IAM::Policy and you don’t specify a user, group or role you want to apply this policy to.

In other words, if you try to create a standalone IAM policy using AWS::IAM::Policy resource, you get above error.

For example, I tried creating an IAM policy using below template

AWSTemplateFormatVersion: 2010-09-09
Description: AWS CloudFormation Template to create IAM Policy
Resources:
  StandAlonePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "standalone-s3-policy"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Resource: "*"
          Action:
            - "s3:Get*"

My Stack Creation Failed With Below Error !!!

At least one of [Groups,Roles,Users] must be non-empty

At least one of [Groups,Roles,Users] must be non-empty

What is the problem with above template?

A resource of type AWS::IAM::Policy adds or updates an inline policy document that is embedded in the specified IAM user, group, or role.

An IAM Policy resource looks like below-

Type: AWS::IAM::Policy
Properties: 
  Groups: 
    - String
  PolicyDocument: Json
  PolicyName: String
  Roles: 
    - String
  Users: 
    - String

In the properties section there are few mandatory properties which you must specify like-

  1. PolicyName
  2. PolicyDocument
  3. Any one of [Users , Groups, Roles]

We have provided PolicyName and PolicyDocument but we didn’t provide any one of Users/Groups/Roles so our stack creation failed.

Moral of the story is that, AWS::IAM::Policy is not meant to create a standalone policy. It always adds an inline policy which can not exist on it’s own and must be part of a user, group or role.

Solution:

Well, You might have guessed by now that, there can be two ways to think about solution depending on what you are trying to do.

  1. Are you trying to create a standalone IAM policy without attaching it to any role, user or group?
  2. Are you trying to create an Inline Policy for your User/Group/Role

For above two question solution 1 and solution 2 are mentioned respectively

Solution 1: Create a Standalone IAM Policy using AWS::IAM::ManagedPolicy

As I already said, AWS::IAM::Policy is for creating inline policies and inline policies must be part of a user/group or role. So for creating a standalone IAM policy use AWS::IAM::ManagedPolicy resource like below and you should be good to go.

AWSTemplateFormatVersion: 2010-09-09
Description: AWS CloudFormation Template to create IAM Policy
Resources:
  StandAlonePolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: Managed policy to allow s3 access
      Path: /
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - "s3:Get*"
            Resource: "*"

Solution 2: Attach the Policy to a group, user or role

If you are trying to create an inline policy and you missed user, group or role by mistake, specify user, group or role you want to attach this policy to.

for example, I modified template to create a group and add this policy to group and it worked perfectly fine

AWSTemplateFormatVersion: 2010-09-09
Description: AWS CloudFormation Template to create IAM Policy
Resources:
  StandAlonePolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: Managed policy to allow s3 access
      Path: /
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - "s3:Get*"
            Resource: "*"
      Groups:
	- !Ref DemoGroup
    DependsOn: DemoGroup
  DemoGroup:
    Type: AWS::IAM::Group

I hope you were able to solve the issue. If not, please let me know what exactly you are facing. We might be able to help you.

Enjoyed the content?

Subscribe to our newsletter below to get awesome AWS learning materials delivered straight to your inbox.

Don’t forget to motivate me by-

Suggested Read:

Sharing is Caring:

Leave a Reply

Your email address will not be published. Required fields are marked *