[英]AWS Cloudformation IAM Policy with Resource
What I'm trying to do is create an IAM policy that only gives access to a certain S3 bucket and I want to pass that S3 bucket as a parameter. 我想做的是创建一个IAM策略,该策略仅授予对特定S3存储桶的访问权限,而我想将该S3存储桶作为参数传递。
From AWS's documentation, this is what an IAM policy CloudFormation template looks like: 从AWS文档中,IAM策略CloudFormation模板如下所示:
"RolePolicies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
},
The question is, how do you make "Resource" a parameter? 问题是,如何使“资源”成为参数? The parameter should be the arn of the S3 bucket (ex. arn:aws:s3:::s3-bucket-name). 该参数应为S3存储桶的arn(例如arn:aws:s3 ::: s3-bucket-name)。 Would I simply put in a string type parameter and type out the whole arn or would it be something like AWS::S3::Bucket type? 我会简单地输入一个字符串类型参数并输入整个arn还是像AWS :: S3 :: Bucket type这样的东西? Either way, I'm not sure what to type in after "Resource". 无论哪种方式,我都不确定在“资源”之后输入什么。
Thanks! 谢谢!
You can use Ref with Fn::Join or Fn::Sub 您可以将Ref与Fn :: Join或Fn :: Sub一起使用
For example: 例如:
"Parameters" : {
"BucketName" : {
"Type" : "String",
"Description" : "S3 Bucket name."
}
}
With Ref and Fn::Join 与Ref和Fn :: Join
...
"Resource": { "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "BucketName"} ] ] }
...
With Fn::Sub : 与Fn :: Sub :
...
"Resource": { "Fn::Sub": [ "arn:aws:s3:::${BucketName}" ] }
...
A little late to the party. 晚会晚了。
If your bucket is declared in Resources, like this: 如果您的存储桶在“资源”中声明 ,如下所示:
...
Resources:
MyBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: my-bucket-name
...
...Then you can easily refer to it's ARN using Fn::GetAtt: ...然后您可以使用Fn :: GetAtt轻松引用它的ARN:
Resource:
Fn::GetAtt: [ MyBucket, "Arn" ]
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.