DescribeSecurityGroups not useable

[AnthonySheetz]

There are a collection of permissions which aren't attached to resources. I can't find a way to specify these in a policy.

This does not work:

      - arn: arn:aws:*
        actions:
        - "DescribeSecurityGroups"

as it produces

  File "/usr/local/lib/python2.7/dist-packages/kappa/policy.py", line 54, in document
    _, _, service, _ = arn.split(':', 3)
ValueError: need more than 3 values to unpack

Put another way, I have been unable to find a way to apply the following policy:

            "Action": [
                "ec2:DescribeSecurityGroups"
            ],
            "Effect": "Allow",
            "Resource": "*"

This is either a bug in documentation, or a bug in code; not sure which

This would affect all the permissions at this link: http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions

[stevenbaker]

Experiencing the same issue described above by @asheetz2000, but with a different "Describe". Curious how other folks are working around this?

[EDIT: Earlier I Had a Big "Me Too!" Here, But Figured It Out]

To @asheetz2000 ...

I think the way to accomplish what you want is by using "policy -> statements" in kappa.yml.

For example, do something like this:

environments:
  prod:
    region: us-east-1
    policy:
      statements:
        - Effect: Allow
          Resource: "*"
          Action:
            - "cloudwatch:DescribeAlarms"

As you've discovered, using "policy -> resources" won't work because policy.py wants to parse the ARN, so this is no good:

environments:
  prod:
    region: us-east-1
    policy:
      resources:
        - arn: "*"
          action:
            - "cloudwatch:DescribeAlarms"

For more information, see the "Policies" section at the bottom of the README: https://github.com/garnaat/kappa/blob/develop/README.rst#policies