I have an AWS SAM very simple project that has a permission boundary defined in this way;
Globals:
Function:
PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${AppId}-${AWS::Region}-PermissionsBoundary'
During deployment, I get the error:
Scope ARN: arn:aws:iam::360366933610:policy/gaaa-pablo-us-east-1-PermissionsBoundary does not exist or is not attachable. (Service: AmazonIdentityManagement; Status Code: 404; Error Code: NoSuchEntity; Request ID: 7217e1ad-0716-403c-a839-160db3a83310; Proxy: null)
How should this permission boundary be created? Is this supposed to be a manual tasks?
This seems to be one of the differences between running sam init on my machine and creating the exactly same template through the AWS console. AWS creates seems to create this boundary, attach it to the application maybe, but not emit any code that would create it? I'm still trying to understand all the moving pieces here.