Cloudformation参数作为逻辑ID

Question

I am trying to create a IAM role using cloudFormation. 我正在尝试使用cloudFormation创建一个IAM角色。 There is a parameter that I want to include in the role name. 我要在角色名称中包含一个参数。 My cloudformation script has the following: 我的cloudformation脚本具有以下内容：

"Resources" : { 
    "TestRole" : {
        "Type" : "AWS::IAM::Role",
        "Properties" : {
            "AssumeRolePolicyDocument": {
                "Version" : "2012-10-17",
                "Statement": [ {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": [ "ec2.amazonaws.com" ]
                    },
                    "Action": [ "sts:AssumeRole" ]
                }]
            }
        }
    }
}

My cloudformation stack is named role-test. 我的cloudformation堆栈称为角色测试。 This creates a IAM role with the name role-test-TestRole- RandomString . 这将创建一个名称为role-test-TestRole- RandomString的IAM角色。 Is there a way to have the rolename to be exactly what I specify in the parameter? 有没有一种方法可以使角色名与我在参数中指定的完全相同？

Answer 1

It doesn't look like that'll actually work since each resource needs to have a unique ID and this ID is generated by AWS::CF. 由于每个资源都需要具有唯一的ID，并且该ID是由AWS :: CF生成的，因此看起来似乎无法实际使用。

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html

From what I understand from talking to AWS folks in the past, this is done like this because each resource needs a uniquely identifiable ID. 从我过去与AWS员工的交谈中了解到，这样做是因为每个资源都需要一个唯一可标识的ID。

This ID is used when calling something like this: 调用如下代码时将使用此ID：

{"Fn::GetAtt" : ["TestRole", "Arn"] } {“ Fn :: GetAtt”：[“ TestRole”，“ Arn”]}

Hope that helps. 希望能有所帮助。

Answer 2

It is already possible to specify a custom name for IAM roles in CF: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-rolename 已经可以为CF中的IAM角色指定自定义名称： https : //docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-rolename

A name for the IAM role. IAM角色的名称。 For valid values, see the RoleName parameter for the CreateRole action in the IAM API Reference . 有关有效值，请参阅《 IAM API参考》中的CreateRole操作的RoleName参数。 If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the group name. 如果您未指定名称，则AWS CloudFormation会生成一个唯一的物理ID，并将该ID用作组名。

Important 重要

If you specify a name, you cannot do updates that require this resource to be replaced. 如果指定名称，则无法进行需要替换该资源的更新。 You can still do updates that require no or some interruption. 您仍然可以进行更新，而无需进行任何中断。 If you must replace the resource, specify a new name. 如果必须替换资源，请指定一个新名称。

If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. 如果指定名称，则必须指定CAPABILITY_NAMED_IAM值以确认模板的功能。 For more information, see Acknowledging IAM Resources in AWS CloudFormation Templates . 有关更多信息，请参阅在AWS CloudFormation模板中确认IAM资源。

Warning 警告

Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple regions. 如果您在多个区域中重复使用同一模板，则命名IAM资源可能会导致不可恢复的错误。 To prevent this, we recommend using Fn::Join and AWS::Region to create a region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]} . 为防止这种情况，我们建议使用Fn::Join和AWS::Region创建特定于区域的名称，如以下示例所示： {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]} 。

Though, it needs an extra capability as it is stated in the documentation. 但是，它需要额外的功能，如文档中所述。

Cloudformation参数作为逻辑ID

问题描述

2 个解决方案

解决方案1
0 2016-01-04 18:29:47

解决方案2
0 2016-08-07 18:33:44

Important 重要

Warning 警告

Cloudformation参数作为逻辑ID

问题描述

2 个解决方案

解决方案1 0 2016-01-04 18:29:47

解决方案2 0 2016-08-07 18:33:44

Important 重要

Warning 警告

解决方案1
0 2016-01-04 18:29:47

解决方案2
0 2016-08-07 18:33:44