[英]Managed policy for a role in an AWS cloud formation stack
Using AWS, I'm building a cloud formation stack defining: 使用AWS,我正在构建一个定义以下内容的云形成堆栈:
MyPolicy
MyPolicy
的托管策略 MyRole
that should attach that policy MyRole
的角色,应附加该策略 The stack will be created by an admin ; 堆栈将由管理员创建; and once created, the goal is to allow (from outside the stack) some users to assume
MyRole
. 创建后,目标是允许(从堆栈外部)某些用户承担
MyRole
。
My question: How should the role be defined in order to attach that policy ? 我的问题:如何定义角色以附加该策略?
The AWS help page of the role properties suggests to use the ManagedPolicyArns
, but I get various errors depending on how I refer to MyPolicy
: 角色属性的AWS帮助页面建议使用
ManagedPolicyArns
,但是根据我对MyPolicy
引用方式,我会遇到各种错误:
If I use the GetAtt
function to retrieve the policy's arn
, I get an error at the template validation: 如果我使用
GetAtt
函数检索策略的arn
,则在模板验证时会收到错误消息:
"ManagedPolicyArns": [ { "Fn::GetAtt" : [ "MyPolicy", "Arn" ] } ]
Template error: resource MyPolicy does not support attribute type Arn in Fn::GetAtt
模板错误:资源MyPolicy不支持Fn :: GetAtt中的属性类型Arn
And If I use the Join
function to build the policy's arn
, I get an error during the role creation. 而且,如果我使用
Join
函数来构建策略的arn
,那么在角色创建过程中会出错。
"ManagedPolicyArns": [ { "Fn::Join" : [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ":policy/", { "Ref": "MyPolicy" } ] ] } ]
ARN arn:aws:iam::aws:policy/arn:aws:iam::«my-account-id»:policy/MyPolicy is not valid.
ARN arn:aws:iam :: aws:policy / arn:aws:iam ::«my-account-id»:policy / MyPolicy无效。 (Service: AmazonIdentityManagement; Status Code: 400; Error Code: InvalidInput; Request ID: «an-id»)
(服务:AmazonIdentityManagement;状态代码:400;错误代码:InvalidInput;请求ID:«an-id»)
Below is my stack definition using JSON
format: 以下是我使用
JSON
格式的堆栈定义:
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"MyPolicy" : {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"ManagedPolicyName" : "MyPolicy",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [ "s3:*" ],
"Resource": "arn:aws:s3:::the-bucket"
}
]
}
}
},
"MyRole" : {
"Type": "AWS::IAM::Role",
"RoleName": "MyRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": {"Fn::Join" : [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } },,
"Action": [ "sts:AssumeRole" ]
}
]
},
"ManagedPolicyArns": [
{ "Fn::GetAtt" : [ "MyPolicy", "Arn" ] }
]
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.