【发布时间】:2018-11-20 13:37:45
【问题描述】:
使用 AWS,我正在构建一个 cloud formation 堆栈定义:
- 名为
MyPolicy的托管策略 - 一个名为
MyRole的角色应该附加该策略
堆栈将由管理员创建;并且一旦创建,目标是允许(从堆栈外部)一些用户假设MyRole。
我的问题:应该如何定义角色才能附加该政策?
role properties 的 AWS 帮助页面建议使用ManagedPolicyArns,但根据我引用MyPolicy 的方式,我会遇到各种错误:
如果我使用GetAtt 函数检索策略的arn,我会在模板验证时收到错误:
"ManagedPolicyArns": [ { "Fn::GetAtt" : [ "MyPolicy", "Arn" ] } ]
模板错误:资源 MyPolicy 不支持 Fn::GetAtt 中的属性类型 Arn
如果我使用Join 函数来构建策略的arn,我会在角色创建过程中出错。
"ManagedPolicyArns": [ { "Fn::Join" : [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ":policy/", { "Ref": "MyPolicy" } ] ] } ]
ARN arn:aws:iam::aws:policy/arn:aws:iam::«my-account-id»:policy/MyPolicy 无效。 (服务:AmazonIdentityManagement;状态代码:400;错误代码:InvalidInput;请求 ID:«an-id»)
以下是我使用JSON 格式的堆栈定义:
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"MyPolicy" : {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"ManagedPolicyName" : "MyPolicy",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [ "s3:*" ],
"Resource": "arn:aws:s3:::the-bucket"
}
]
}
}
},
"MyRole" : {
"Type": "AWS::IAM::Role",
"RoleName": "MyRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": {"Fn::Join" : [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } },,
"Action": [ "sts:AssumeRole" ]
}
]
},
"ManagedPolicyArns": [
{ "Fn::GetAtt" : [ "MyPolicy", "Arn" ] }
]
}
}
}
【问题讨论】:
标签: amazon-web-services amazon-cloudformation amazon-iam