使用未链接到角色的 AWS CloudFormation 创建 CloudWatch 规则

Question

我正在尝试创建一个按计划触发并执行状态机（Step Functions）的 CloudWatch 规则。我正在使用 CloudFormation 来创建它，除了规则使用的 IAM 角色与规则本身的关联之外，一切都很好。这就是我的意思：

“使用现有角色”下的通知是空白的。

这是处理规则及其角色的 CF 模板部分。

"SFInvoke":{
    "Type": "AWS::IAM::Role",
    "Properties": {
      "AssumeRolePolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Service": {
                "Fn::Sub": "states.${AWS::Region}.amazonaws.com"
              }
            },
            "Action": "sts:AssumeRole"
          }
        ]
      },
      "Policies": [
        {
          "PolicyName": "StepFunctionsInvoke",
          "PolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Effect": "Allow",
                "Action": [
                  "states:StartExecution"
                ],
                "Resource": { "Ref" : "StateMachine"}
              }
            ]
          }
        }
      ]
    }
  },
  "CloudWatchStateMachineSDCEventRule": {
    "Type":"AWS::Events::Rule",
    "Properties": {
      "Description":"CloudWatch trigger for the InSite Static Data Consumer",
      "ScheduleExpression": "rate(5 minutes)",
      "State":"ENABLED",
      "Targets":[{
        "Arn":{ "Ref" : "StateMachine"},
        "Id":"StateMachineTargetId",
        "RoleArn":{
          "Fn::GetAtt": [
            "SFInvoke",
            "Arn"
          ]
        }
      }]
    }
},

Answer 1

您希望SFInvoke 角色显示在Use existing role selector 上吗？

如果是这种情况，您需要将 Principal 设置为 events 而不是 states。

您正在编辑上面屏幕截图中的事件目标，而不是步进函数。 Principal 定义可以承担该角色的服务，在您的情况下是事件服务。

试试这个来创建角色：

"SFInvoke":{
  "Type": "AWS::IAM::Role",
  "Properties": {
    "AssumeRolePolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "events.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    },
    "Policies": [
      {
        "PolicyName": "StepFunctionsInvoke",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "states:StartExecution"
              ],
              "Resource": { "Ref" : "StateMachine"}
            }
          ]
        }
      }
    ]
  }
}

Answer 2

Yaml 可能是：
基于主体：作为基于事件的服务和操作：开始执行 StepFunctions 状态机。

AWSEventsInvokeStepFunctions:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:  
              Service: 
                - events.amazonaws.com                   
            Action: sts:AssumeRole     
      Policies:
        - PolicyName: AWSEventsInvokeStepFunctions
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - states:StartExecution
                Resource: !Sub "arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:*" 

现在本质上通用的角色可以应用于 CloudWatch 事件规则，赋予规则能够基于 Amazon S3 事件启动 StepFunctions 状态机执行的权限。

AmazonCloudWatchEventRule:
    Type: AWS::Events::Rule
    Properties:
      EventPattern:
        source:
          - aws.s3
        detail-type:
          - 'AWS API Call via CloudTrail'
        detail:
          eventSource:
            - s3.amazonaws.com
          eventName:           
            - PutObject            
          requestParameters:
            bucketName:
              - !Ref EventBucket
      Targets:
        - 
          RoleArn: !GetAtt AWSEventsInvokeStepFunctions.Arn
          Arn: !Sub "arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:MyStateMachine"        
          Id: !Sub "StepExecution"

您可以在Start the Execution of State Machine based on Amazon S3 Event 上查看更多信息