Cloudformation模板为SQS创建角色

Question

I am trying to create a role with embedded policy using cloudformation template : 我正在尝试使用cloudformation模板创建具有嵌入式策略的角色：

{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
  "SQSRole": {
     "Type": "AWS::IAM::Role",
     "Properties": {
        "AssumeRolePolicyDocument": {
           "Version" : "2012-10-17",
           "Statement": [ {
              "Effect": "Allow",
              "Principal": {
                 "Service": [ "sqs.amazonaws.com" ]
              },
              "Action": [
                    "SQS:SendMessage",
                    "SQS:ReceiveMessage",
                    "SQS:DeleteMessage",
                    "SQS:GetQueueUrl"
                ]
           } ]
        },
        "Path": "/"
        }
  },
  "RootInstanceProfile": {
     "Type": "AWS::IAM::InstanceProfile",
     "Properties": {
        "Path": "/",
        "Roles": [ {
           "Ref": "SQSRole"
        } ]
     }
  }
}
}

It gives an error " Invalid principal in policy: "SERVICE":"sqs.amazonaws.com". 它给出错误“策略中的无效主体：“ SERVICE”：“ sqs.amazonaws.com”。

I also tried by replacing exact URL of SQS queue : "SERVICE":"sqs.ap-south-1.amazonaws.com/710161973367/CFI-Trace" 我还尝试通过替换SQS队列的确切URL：“ SERVICE”：“ sqs.ap-south-1.amazonaws.com/710161973367/CFI-Trace”

Still it gives same error. 仍然给出相同的错误。 Not sure what service to specify for sqs. 不确定要为sqs指定什么服务。

Answer 1

If you're trying to create an IAM role to be assumed by an EC2 instance, you should use this instead: 如果尝试创建要由EC2实例承担的IAM角色，则应改用以下方法：

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "SQSRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "ec2.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/",
        "Policies": [
          {
            "PolicyName": "SqsAccess",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Sid": "1",
                  "Effect": "Allow",
                  "Action": [
                    "SQS:SendMessage",
                    "SQS:ReceiveMessage",
                    "SQS:DeleteMessage",
                    "SQS:GetQueueUrl"
                  ],
                  "Resource": [
                    "*"
                  ]
                }
              ]
            }
          }
        ]
      }
    },
    "RootInstanceProfile": {
      "Type": "AWS::IAM::InstanceProfile",
      "Properties": {
        "Path": "/",
        "Roles": [
          {
            "Ref": "SQSRole"
          }
        ]
      }
    }
  }
}

Note that the service that will assume your IAM role is now ec2.amazonaws.com . 请注意，现在将担当您IAM角色的服务是ec2.amazonaws.com 。 Also, the EC2 service is now only allowed to assume your IAM role (via sts:AssumeRole ). 而且，现在仅允许EC2服务承担您的IAM角色（通过sts:AssumeRole ）。 Finally, all your sqs:* Actions have been moved into the IAM Role's Policies attribute. 最后，您所有的sqs:*操作已移至IAM角色的“ Policies属性中。

Cloudformation模板为SQS创建角色

问题描述

1 个解决方案

解决方案1
1 2017-01-02 18:36:26

Cloudformation模板为SQS创建角色

问题描述

1 个解决方案

解决方案1 1 2017-01-02 18:36:26

解决方案1
1 2017-01-02 18:36:26