使用 cloudformation 创建 aws IAM 角色不会创建 RolePolicies

【问题标题】:creating aws IAM Role using cloudformation does not create RolePolicies使用 cloudformation 创建 aws IAM 角色不会创建 RolePolicies
【发布时间】:2017-05-05 15:28:03
【问题描述】:

我正在创建一个 ec2 实例,其角色提供对 kinesis 流和 Dynamodb 偏移表的访问。我为此使用aws cloudformation

我遇到的问题是在创建 Streaming Access IAM Role 本身时。

所以,我将有以下结构,

                        has
StreamingAccessRole ----------> RolePolicy1(kinesis:*), RolePolicy2(dynamodb:*)

使用两个策略创建 AWS IAM 角色的模板,一个用于 kinesis,另一个用于 dynamodb:

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Parameters": {
    "teamIdentifier": {
      "Type": "String",
      "Default": "a28",
      "Description": "Identifier for the team"
    }
  },
  "Resources": {
    "StreamingAccessRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "ec2.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/a28/",
        "Policies": [
          {
            "PolicyName": "Stream-ConsumerOffset-RW-AccessPolicy",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": "kinesis:*",
                  "Resource": "arn:aws:kinesis:us-west-2:*:stream/a28-*"
                },
                {
                  "Effect": "Allow",
                  "Action": "dynamodb:*",
                  "Resource": "arn:aws:dynamodb:us-west-2:*:table/a28-*"
                }
              ]
            }
          }
        ]
      }
    }
  }
}

它创建访问角色但没有角色策略。

$ aws iam get-role --role-name a28-streaming-access-role-st-StreamingAccessRole-14QHMTIOIRN5X --region us-west-2 --profile aws-federated
{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17", 
            "Statement": [
                {
                    "Action": "sts:AssumeRole", 
                    "Effect": "Allow", 
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    }
                }
            ]
        }, 
        "RoleId": "AROAIFD6X2CJXTKLVQNLE", 
        "CreateDate": "2017-04-07T18:54:59Z", 
        "RoleName": "a28-streaming-access-role-st-StreamingAccessRole-14QHMTIOIRN5X", 
        "Path": "/a28/", 
        "Arn": "arn:aws:iam::500238854089:role/a28/a28-streaming-access-role-st-StreamingAccessRole-14QHMTIOIRN5X"
    }
}

列出角色策略

$ aws iam list-role-policies --role-name a28-streaming-access-role-st-StreamingAccessRole-14QHMTIOIRN5X --region us-west-2 --profile aws-federated
{
    "PolicyNames": []
}

这意味着它甚至没有创建任何策略,

aws iam list-policies --region us-west-2 --profile aws-federated | grep Stream-ConsumerOffset-RW-AccessPolicy

但是如果我在上面的示例中只提供了kinesis:* 语句,它会创建一个策略,但不会单独使用dynamodb:*

所以,我的问题是应该如何使用一个 cloudformation AWS::IAM::Role 模板提供多个 RolePolicies,或者这是否特定于 dynamodb?

【问题讨论】:

    标签: amazon-web-services amazon-cloudformation amazon-iam


    【解决方案1】:

    当您在角色中创建策略时,会出现间歇性竞争情况。使用 AWS::IAM::Policy 单独创建策略并将 Roles 属性设置为 Role。问题就会消失。

    【讨论】:

    • 你听起来像是第一个创建错误的人。我只是尝试使用发电机策略并参考角色并且它确实有效,我会解决问题并看看。谢谢
    • 不。我经历了很多痛苦才发现它,AWS 支持承认了它,并承认他们知道它并且没有记录
    • 这些类型的错误似乎在 AWS 生态系统中很普遍。 :(
    【解决方案2】:

    您的模板非常适合我。

    我运行了你的模板,然后:

    $ aws iam get-role --role-name stack1-StreamingAccessRole-1KDUTVG1OLLQM
{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17", 
            "Statement": [
                {
                    "Action": "sts:AssumeRole", 
                    "Effect": "Allow", 
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    }
                }
            ]
        }, 
        "RoleId": "AROAJADV75HTIM6C62YXQ", 
        "CreateDate": "2017-04-08T22:22:21Z", 
        "RoleName": "stack1-StreamingAccessRole-1KDUTVG1OLLQM", 
        "Path": "/a28/", 
        "Arn": "arn:aws:iam::123456789012:role/a28/stack1-StreamingAccessRole-1KDUTVG1OLLQM"
    }
}

    列出角色策略:

    $ aws iam list-role-policies --role-name stack1-StreamingAccessRole-1KDUTVG1OLLQM
{
    "PolicyNames": [
        "Stream-ConsumerOffset-RW-AccessPolicy"
    ]
}

    该策略作为内联策略附加,因此不会出现在list-policies 中。而是使用get-role-policy 来查看它:

    $ aws iam get-role-policy --role-name stack1-StreamingAccessRole-1KDUTVG1OLLQM --policy-name Stream-ConsumerOffset-RW-AccessPolicy
{
    "RoleName": "stack1-StreamingAccessRole-1KDUTVG1OLLQM", 
    "PolicyDocument": {
        "Version": "2012-10-17", 
        "Statement": [
            {
                "Action": "kinesis:*", 
                "Resource": "arn:aws:kinesis:us-west-2:*:stream/a28-*", 
                "Effect": "Allow"
            }, 
            {
                "Action": "dynamodb:*", 
                "Resource": "arn:aws:dynamodb:us-west-2:*:table/a28-*", 
                "Effect": "Allow"
            }
        ]
    }, 
    "PolicyName": "Stream-ConsumerOffset-RW-AccessPolicy"
}

    【讨论】:

    • 感谢约翰的回答。我的公司帐户发生了奇怪的事情。我也检查了aws UI,发现该策略在一段时间内消失了。我已经尝试了几天,但无法成功。我觉得创建政策有一些限制。你能建议我一种方法来调试为什么没有附加策略吗? aws cloudformation describe-stack-events --stack-name a28-streaming-access-stack --region us-west-2 没有提供太多信息。
    • 它只适用于kinesis:*角色策略,但不适用于dynamodb:*,这很奇怪。
    • 资源消失表明 CloudFormation 模板正在被删除或回滚。检查是否仍然显示 CREATE_COMPLETE 并查看“资源”选项卡以检查已创建的内容。
    • 是的,状态仍然是CREATE_COMPLETE。奇怪的是它没有添加dynamodb:* 动作。但仅适用于 kinesis:*
    【解决方案3】:

    原因可能是 Tim Bassett 在 this answer 中已经回答的竞争条件,我只是想添加最终的解决方案,以及如何将 AWS::IAM::Policy 添加到 cloudformation。

    {
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Some Streaming api devops",
  "Parameters": {
    "environment": {
      "Type": "String",
      "Default": "staging",
      "Description": "environment"
    }
  },
  "Resources": {
    "StreamingAccessRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "RoleName": "StreamingAccessRole",
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "ec2.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/a28/"
      }
    },
    "StreamConsumerOffsetRWAccessPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "cloudwatch:*"
              ],
              "Resource": [
                "*"
              ]
            },
            {
              "Effect": "Allow",
              "Action": "kinesis:*",
              "Resource": "arn:aws:kinesis:us-west-2:051620159240:stream/a28-*"
            },
            {
              "Effect": "Allow",
              "Action": [
                "dynamodb:BatchGetItem",
                "dynamodb:BatchWriteItem",
                "dynamodb:CreateTable",
                "dynamodb:DeleteItem",
                "dynamodb:DeleteTable",
                "dynamodb:DescribeLimits",
                "dynamodb:DescribeReservedCapacity",
                "dynamodb:DescribeReservedCapacityOfferings",
                "dynamodb:DescribeStream",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:GetRecords",
                "dynamodb:GetShardIterator",
                "dynamodb:ListStreams",
                "dynamodb:ListTables",
                "dynamodb:PutItem",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:UpdateItem",
                "dynamodb:UpdateTable"
              ],
              "Resource": "arn:aws:dynamodb:us-west-2:051620159240:table/a28-*"
            },
            {
              "Action": [
                "sns:*Permission",
                "sns:Create*",
                "sns:Delete*",
                "sns:Publish",
                "sns:ReceiveMessage",
                "sns:Set*"
              ],
              "Resource": [
                "arn:aws:sns:us-west-2:051620159240:a28-*"
              ],
              "Effect": "Allow"
            }
          ]
        },
        "PolicyName": "StreamConsumerOffsetRWAccessPolicy",
        "Roles": [
          {
            "Ref": "StreamingAccessRole"
          }
        ]
      }
    }
  }
}

    【讨论】:

      猜你喜欢
      • 2021-06-21
      • 2019-12-29
      • 2018-04-13
      • 2021-10-15
      • 2017-01-31
      • 1970-01-01
      • 2017-06-11
      • 1970-01-01
      • 2018-11-05
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode