堆栈内存溢出
  简体   繁体   English

如何在 cloudformation 的参考参数中使用 AWS principal

[英]How to use AWS principal in reference parameter in cloudformation

 原文  2017-08-21 09:58:11       json/ amazon-web-services/ amazon-cloudformation/ amazon-iam

问题描述

I have to automate this line "AWS": "arn:aws:iam::684821578293:user/jenkins" on my cloudformation template but while using join it will not working can somebody help me in this.我必须在我的 cloudformation 模板上自动执行此行 "AWS": "arn:aws:iam::684821578293:user/jenkins" 但是在使用 join 时它不起作用,有人可以帮助我吗?

Working template is below you can use following snap to parameters list工作模板在下面,您可以使用以下捕捉到参数列表

StackName: test堆栈名称:测试

CreateCodeDeployRole: false CreateECSRole: false CreateJenkinsRole: true CustomerPrefix: kfc ( anyname) Environment: dt GroupName: sogetiadmin RoleName: Jenkins_Tool_Access UserName: jenkins CreateCodeDeployRole: false CreateECSRole: false CreateJenkinsRole: true CustomerPrefix: kfc (anyname) Environment: dt GroupName: sogetiadmin RoleName: Jenkins_Tool_Access UserName: jenkins

https://s3.amazonaws.com/linuxblogger-k8s-state/iamcreation_working.json https://s3.amazonaws.com/linuxblogger-k8s-state/iamcreation_working.json

Problem:问题:

But once i update this entry on working template from "AWS": "arn:aws:iam::684821578293:user/admin" to "AWS": "arn:aws:iam::684821578293:user/jenkins" it will not working.但是,一旦我将工作模板上的条目从“AWS”更新为“arn:aws:iam::684821578293:user/admin”到“AWS”:“arn:aws:iam::684821578293:user/jenkins”,它就不会在职的。

I try with join function with Jenkins user but it won't working you can view this json from below我尝试加入 function 和 Jenkins 用户,但它不起作用你可以从下面查看这个 json

https://s3.amazonaws.com/linuxblogger-k8s-state/iamcreation_not_working.json https://s3.amazonaws.com/linuxblogger-k8s-state/iamcreation_not_working.json

1 个解决方案

解决方案1
 1  2017-08-21 12:36:30

{
  "AWSTemplateFormatVersion" : "2010-09-09",
  "Description" : "IAM groups and account-wide role configurations",
  "Parameters" : {
    "CustomerPrefix" : {
            "Type" : "String",
            "Default" : "testcust",
            "Description" : "Enter Customer Prefix"
        },

    "Environment"    : {
            "Type" : "String",
            "Default" : "dt",
            "Description" : "Enter Environment (Input Format - d=development, t=test, a=acceptance, p=production, dt=devtest, ap=acceptanceproduction)",
            "AllowedValues" : [
                "d",
                "t",
                "a",
                "p",
                "dt",
                "ap"
            ]
        },

  
    "CreateCodeDeployRole" : {
      "Type"                    : "String",
      "Default"             : "true",
      "Description"         : "Whether a role should be created for use with AWS CodeDeploy",
      "AllowedValues"           : ["true", "false"],
      "ConstraintDescription"   : "Must be true or false."
    },

    
    "CreateECSRole" : {
      "Type"                    : "String",
      "Default"             : "true",
      "Description"         : "Whether a role should be created for use with AWS EC2 Container Service",
      "AllowedValues"           : ["true", "false"],
      "ConstraintDescription"   : "Must be true or false."
    },
    
    "CreateJenkinsRole" : {
      "Type"                    : "String",
      "Default"             : "true",
      "Description"         : "Whether a role should be created for use with Aws Jenkins Service",
      "AllowedValues"           : ["true", "false"],
      "ConstraintDescription"   : "Must be true or false."
    },

    
    "UserName" : { 
    "Type"                  : "String",
    "Default"               : "jenkins",
    "Description"           : "Please Provide Name of the IAM user"     
    },
    
    "RoleName" : { 
    "Type"                  : "String",
    "Default"               : "Jenkins_Tool_Access",
    "Description"           : "Please Provide Name of the IAM Role"     
    },
    
    "GroupName" : { 
    "Type"                  : "String",
    "Default"               : "sogetiadmin",
    "Description"           : "Please Provide Name of the IAM Role"     
    }
  },
  

  "Conditions" :{
    "IsDev" : {
      "Fn::Equals" : [ { "Ref" : "Environment" }, "dev" ]
    },
    "IsQet" : {
      "Fn::Equals" : [ { "Ref" : "Environment" }, "qet" ]
    },
    "IsStg" : {
      "Fn::Equals" : [ { "Ref" : "Environment" }, "stg" ]
    },
    "IsPrd" : {
      "Fn::Equals" : [ { "Ref" : "Environment" }, "prd" ]
    },
    
    "CreateCodeDeployRole" : {
      "Fn::Equals" : [ { "Ref" : "CreateCodeDeployRole" }, "true" ]
    },
        
    
    "CreateECSRole" : {
      "Fn::Equals" : [ { "Ref" : "CreateECSRole" }, "true" ]
    },
    
    "CreateJenkinsRole" : {
      "Fn::Equals" : [ { "Ref" : "CreateJenkinsRole" }, "true" ]
    }
    
  },

  "Resources" : {

    "AWSCodeDeployRole" : {
      "Type" : "AWS::IAM::Role",
      "Condition" : "CreateCodeDeployRole",
      "Properties" : {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": {
                  "Fn::Join": [
                    ".",
                    [
                      "codedeploy",
                      { "Ref" : "AWS::Region" },
                      "amazonaws.com"
                    ]
                  ]
                }
              },
              "Action": "sts:AssumeRole"
            }
          ]
        },
        
        "Policies" : [
          {
            "PolicyName" : "AWSCodeDeployPolicy",
            "PolicyDocument" : {
              "Statement": [
                {
                  "Action": [
                    "autoscaling:PutLifecycleHook",
                    "autoscaling:DeleteLifecycleHook",
                    "autoscaling:RecordLifecycleActionHeartbeat",
                    "autoscaling:CompleteLifecycleAction",
                    "autoscaling:DescribeAutoscalingGroups",
                    "autoscaling:PutInstanceInStandby",
                    "autoscaling:PutInstanceInService",
                    "ec2:Describe*"
                  ],
                  "Effect": "Allow",
                  "Resource": "*"
                },
                {
                  "Action": [
                    "s3:Get*",
                          "s3:List*"
                  ],
                  "Effect": "Allow",
                  "Resource": {
                    "Fn::Join": [
                      "-",
                      [
                        "arn:aws:s3:::deployments",
                        { "Ref" : "CustomerPrefix" },
                        { "Ref" : "Environment" },
                        "/artifacts/projects/*"
                      ]
                    ]
                  }
                }
              ]
            }
          }
        ]
      }
    },

      "JenkinsUser" : {
      "Type" : "AWS::IAM::User",
      "Condition" : "CreateJenkinsRole",
      "Properties" : {
      "UserName" : { "Ref" : "UserName" },
        "ManagedPolicyArns": 
                    [
                        "arn:aws:iam::aws:policy/AdministratorAccess"
                    ] 
      }
        },      

      
    
    
      "AWSJenkinsServiceRole" : {
      "Type": "AWS::IAM::Role",
      "Condition" : "CreateJenkinsRole",
      "DependsOn" : "JenkinsUser",
      "Properties" : {
        "RoleName": { "Ref" : "RoleName" },
        "AssumeRolePolicyDocument": {
          "Statement": [
        {
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
        "Service": "cloudformation.amazonaws.com"
          },
        "Action": "sts:AssumeRole"
      },
            {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
            "AWS": { "Fn::Join" : [ "/", [ "arn:aws:iam::684821578293:user", { "Ref" : "UserName" } ]]},
            "Service": "cloudformation.amazonaws.com"
            },
          
      "Action": "sts:AssumeRole"
          }]
      },
      "ManagedPolicyArns": 
                    [
                        "arn:aws:iam::aws:policy/AdministratorAccess"
                    ]
      
      }
  },
  
        "JenkinsUserAccessKey" : {
      "Type" : "AWS::IAM::AccessKey",
      "Properties" : {
      "UserName" : { "Ref" : "JenkinsUser" }
      }
    },

      "ServiceAccountsGroup" : {
      "Type": "AWS::IAM::Group",
      "Properties" : {
      "GroupName" : { "Ref" : "GroupName" }
                  
    }
      
    },
    
    "UserToGroupAddition" : { 
    "Type": "AWS::IAM::UserToGroupAddition",
    "Properties" : {
      "GroupName" : { "Ref" : "ServiceAccountsGroup" },
      "Users" : [ { "Ref" : "UserName" } ]
    
    }
    
  }         
  },

    "Outputs" : {
    
    "JenkinsUserAccessKey" : {
      "Description"     : "The access key for the Jenkins user",
      "Value"       : { "Ref" : "JenkinsUserAccessKey" }
    },

    "JenkinsUserSecret" : {
      "Description"     : "The secret key for the Jenkins user",
      "Value"       : { "Fn::GetAtt" : [ "JenkinsUserAccessKey", "SecretAccessKey" ] }
    }
  }  
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在 AWS Principal 中使用通配符? - How to use wildcard in AWS Principal? 如何使用 CloudFormation 更新 AWS Glue 作业 - How to use CloudFormation to update AWS Glue Jobs 使用方法:Sub 或:Join in "AWS::CloudFormation,:Init", file key - How to use !Sub or !Join in "AWS::CloudFormation::Init", file key AWS CloudFormation中如何使用email动态列表订阅SNS主题? - How to use email dynamic list to SNS Topic Subscription in AWS CloudFormation? 在 aws cloudformation deploy --parameter-overrides 中,如何将多个值传递给 List<aws::ec2::subnet::id> `参数?</aws::ec2::subnet::id> - In `aws cloudformation deploy --parameter-overrides`, how to pass multiple values to `List<AWS::EC2::Subnet::ID>` parameter? 我们如何在 Cloudformation 模板中将相同的标签用于两个 AWS::DynamoDB::Table - How we can use same Tags into two AWS::DynamoDB::Table with in Cloudformation Template 如何将“所有委托人”生成为委托人 - “AWS”:“*” - How to produce "all principals" to principal - "AWS": "*" 如何通过 CloudFormation 添加 AWS 托管策略 - How to add AWS managed policy through CloudFormation 如何在 AWS CloudFormation 模板中运行 bash 脚本 - How to run a bash script in a AWS CloudFormation template 如何在 AWS CloudFormation 模板中使用参考号 function? - How is the !Ref function used in an AWS CloudFormation template?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM