【发布时间】:2021-04-09 17:54:20
【问题描述】:
尝试使用 Amazon Certificate Manager 创建 SSL 证书,如此处 -
https://medium.com/swlh/aws-website-hosting-with-cloudformation-guide-36cac151d1af
我有一个具有以下策略的部署用户 -
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:*",
"s3:*",
"route53:*",
"acm:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
但是当我部署时,我得到以下 -
API: certificatemanager:changeResourceRecordSets User #{my_IAM_deploy_user} is not authorized to access this resource
尽管acm:* 访问,我怎么会收到这个错误?
(想知道是否与Why changeResourceRecordSets gets not authorized to access this resource? 相关,但不知道具体如何)
(以下 Cloudformation 模板)
---
AWSTemplateFormatVersion: '2010-09-09'
Description: cloudfront-route53-demo-cert
Parameters:
DomainName:
Type: String
HostedZoneId:
Type: String
Default: Z1BKCTXD74EZPE # eu-west-1; https://docs.aws.amazon.com/general/latest/gr/s3.html#s3_website_region_endpoints
Outputs:
CertificateARN:
Value:
Ref: Certificate # returns ARN
Resources:
Certificate:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName:
Ref: DomainName
DomainValidationOptions:
- DomainName:
Ref: DomainName
HostedZoneId:
Ref: HostedZoneId
ValidationMethod: DNS
【问题讨论】:
-
changeResourceRecordSets与 AWS Route 53 有关。您的 AWS CFN 模板是否在修改 AWS Route53 RecordSet?如果是,那么您的 IAM 用户将需要权限才能执行操作route53:ChangeResourceRecordSets -
如上所示,IAM 用户同时拥有
acm:*和route53:*的权限 -
您是否有权修改此处使用的 HostedZoneId?
-
为什么模板要
ChangeResourceRecordSets?是不是因为记录集在eu-west-1但是需要在us-east-1创建证书,并且需要更改区域?
标签: amazon-web-services amazon-route53 aws-certificate-manager