Help needed with placeholders in Resource output (actions template)

[rvangraan]

Hi there,

Probably a Dummy question. I've made an actions policy and it produced a policy, similar to the following:

...
 {
      "Sid": "Ec2WriteSubnet",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterface"
      ],
      "Resource": [
        "arn:${Partition}:ec2:${Region}:${Account}:subnet/${SubnetId}"
      ]
    },
...

I'm really struggling to understand how I should use this, as it's obviously not valid a valid IAM policy. Is there something I have to pass in to the write_policy_with_template(...) that will change this? I've also tried to create my own SidGroup and then adding ARNs, but that still results in these template resources.

The policy I'm trying to reproduce has a wildcard * ARN.

[kmcquade]

@rvangraan can you provide the template that you used? And what policy you are trying to reproduce?

[rvangraan]

Hey,

This is what we are trying to reproduce:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:DescribeNetworkInterfaces"
            ],
            "Resource": "*"
        }
    ]
}

We started, not with the CRUD template, but with the actions template. We passed only these two actions to the template and no resources (because ec2:CreateNetworkInterface doesn't need a resource):

"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces"

I'm trying to understand what I'm supposed to do with the placeholders that the generator emits: "arn:${Partition}:ec2:${Region}:${Account}:subnet/${SubnetId}"

I can specify a subnet of course, but how to I get that substituted into this string?

Thank you for the help!