[英]How to use AWS principal in reference parameter in cloudformation
I have to automate this line "AWS": "arn:aws:iam::684821578293:user/jenkins" on my cloudformation template but while using join it will not working can somebody help me in this.我必须在我的 cloudformation 模板上自动执行此行 "AWS": "arn:aws:iam::684821578293:user/jenkins" 但是在使用 join 时它不起作用,有人可以帮助我吗?
Working template is below you can use following snap to parameters list工作模板在下面,您可以使用以下捕捉到参数列表
StackName: test堆栈名称:测试
CreateCodeDeployRole: false CreateECSRole: false CreateJenkinsRole: true CustomerPrefix: kfc ( anyname) Environment: dt GroupName: sogetiadmin RoleName: Jenkins_Tool_Access UserName: jenkins CreateCodeDeployRole: false CreateECSRole: false CreateJenkinsRole: true CustomerPrefix: kfc (anyname) Environment: dt GroupName: sogetiadmin RoleName: Jenkins_Tool_Access UserName: jenkins
https://s3.amazonaws.com/linuxblogger-k8s-state/iamcreation_working.json https://s3.amazonaws.com/linuxblogger-k8s-state/iamcreation_working.json
Problem:问题:
But once i update this entry on working template from "AWS": "arn:aws:iam::684821578293:user/admin" to "AWS": "arn:aws:iam::684821578293:user/jenkins" it will not working.但是,一旦我将工作模板上的条目从“AWS”更新为“arn:aws:iam::684821578293:user/admin”到“AWS”:“arn:aws:iam::684821578293:user/jenkins”,它就不会在职的。
I try with join function with Jenkins user but it won't working you can view this json from below我尝试加入 function 和 Jenkins 用户,但它不起作用你可以从下面查看这个 json
https://s3.amazonaws.com/linuxblogger-k8s-state/iamcreation_not_working.json https://s3.amazonaws.com/linuxblogger-k8s-state/iamcreation_not_working.json
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "IAM groups and account-wide role configurations",
"Parameters" : {
"CustomerPrefix" : {
"Type" : "String",
"Default" : "testcust",
"Description" : "Enter Customer Prefix"
},
"Environment" : {
"Type" : "String",
"Default" : "dt",
"Description" : "Enter Environment (Input Format - d=development, t=test, a=acceptance, p=production, dt=devtest, ap=acceptanceproduction)",
"AllowedValues" : [
"d",
"t",
"a",
"p",
"dt",
"ap"
]
},
"CreateCodeDeployRole" : {
"Type" : "String",
"Default" : "true",
"Description" : "Whether a role should be created for use with AWS CodeDeploy",
"AllowedValues" : ["true", "false"],
"ConstraintDescription" : "Must be true or false."
},
"CreateECSRole" : {
"Type" : "String",
"Default" : "true",
"Description" : "Whether a role should be created for use with AWS EC2 Container Service",
"AllowedValues" : ["true", "false"],
"ConstraintDescription" : "Must be true or false."
},
"CreateJenkinsRole" : {
"Type" : "String",
"Default" : "true",
"Description" : "Whether a role should be created for use with Aws Jenkins Service",
"AllowedValues" : ["true", "false"],
"ConstraintDescription" : "Must be true or false."
},
"UserName" : {
"Type" : "String",
"Default" : "jenkins",
"Description" : "Please Provide Name of the IAM user"
},
"RoleName" : {
"Type" : "String",
"Default" : "Jenkins_Tool_Access",
"Description" : "Please Provide Name of the IAM Role"
},
"GroupName" : {
"Type" : "String",
"Default" : "sogetiadmin",
"Description" : "Please Provide Name of the IAM Role"
}
},
"Conditions" :{
"IsDev" : {
"Fn::Equals" : [ { "Ref" : "Environment" }, "dev" ]
},
"IsQet" : {
"Fn::Equals" : [ { "Ref" : "Environment" }, "qet" ]
},
"IsStg" : {
"Fn::Equals" : [ { "Ref" : "Environment" }, "stg" ]
},
"IsPrd" : {
"Fn::Equals" : [ { "Ref" : "Environment" }, "prd" ]
},
"CreateCodeDeployRole" : {
"Fn::Equals" : [ { "Ref" : "CreateCodeDeployRole" }, "true" ]
},
"CreateECSRole" : {
"Fn::Equals" : [ { "Ref" : "CreateECSRole" }, "true" ]
},
"CreateJenkinsRole" : {
"Fn::Equals" : [ { "Ref" : "CreateJenkinsRole" }, "true" ]
}
},
"Resources" : {
"AWSCodeDeployRole" : {
"Type" : "AWS::IAM::Role",
"Condition" : "CreateCodeDeployRole",
"Properties" : {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::Join": [
".",
[
"codedeploy",
{ "Ref" : "AWS::Region" },
"amazonaws.com"
]
]
}
},
"Action": "sts:AssumeRole"
}
]
},
"Policies" : [
{
"PolicyName" : "AWSCodeDeployPolicy",
"PolicyDocument" : {
"Statement": [
{
"Action": [
"autoscaling:PutLifecycleHook",
"autoscaling:DeleteLifecycleHook",
"autoscaling:RecordLifecycleActionHeartbeat",
"autoscaling:CompleteLifecycleAction",
"autoscaling:DescribeAutoscalingGroups",
"autoscaling:PutInstanceInStandby",
"autoscaling:PutInstanceInService",
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"-",
[
"arn:aws:s3:::deployments",
{ "Ref" : "CustomerPrefix" },
{ "Ref" : "Environment" },
"/artifacts/projects/*"
]
]
}
}
]
}
}
]
}
},
"JenkinsUser" : {
"Type" : "AWS::IAM::User",
"Condition" : "CreateJenkinsRole",
"Properties" : {
"UserName" : { "Ref" : "UserName" },
"ManagedPolicyArns":
[
"arn:aws:iam::aws:policy/AdministratorAccess"
]
}
},
"AWSJenkinsServiceRole" : {
"Type": "AWS::IAM::Role",
"Condition" : "CreateJenkinsRole",
"DependsOn" : "JenkinsUser",
"Properties" : {
"RoleName": { "Ref" : "RoleName" },
"AssumeRolePolicyDocument": {
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": { "Fn::Join" : [ "/", [ "arn:aws:iam::684821578293:user", { "Ref" : "UserName" } ]]},
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
},
"ManagedPolicyArns":
[
"arn:aws:iam::aws:policy/AdministratorAccess"
]
}
},
"JenkinsUserAccessKey" : {
"Type" : "AWS::IAM::AccessKey",
"Properties" : {
"UserName" : { "Ref" : "JenkinsUser" }
}
},
"ServiceAccountsGroup" : {
"Type": "AWS::IAM::Group",
"Properties" : {
"GroupName" : { "Ref" : "GroupName" }
}
},
"UserToGroupAddition" : {
"Type": "AWS::IAM::UserToGroupAddition",
"Properties" : {
"GroupName" : { "Ref" : "ServiceAccountsGroup" },
"Users" : [ { "Ref" : "UserName" } ]
}
}
},
"Outputs" : {
"JenkinsUserAccessKey" : {
"Description" : "The access key for the Jenkins user",
"Value" : { "Ref" : "JenkinsUserAccessKey" }
},
"JenkinsUserSecret" : {
"Description" : "The secret key for the Jenkins user",
"Value" : { "Fn::GetAtt" : [ "JenkinsUserAccessKey", "SecretAccessKey" ] }
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.