AWS云形成堆栈中角色的托管策略

Question

Using AWS, I'm building a cloud formation stack defining: 使用AWS，我正在构建一个定义以下内容的云形成堆栈：

A Managed Policy called MyPolicy 称为MyPolicy的托管策略
A Role called MyRole that should attach that policy 名为MyRole的角色，应附加该策略

The stack will be created by an admin ; 堆栈将由管理员创建； and once created, the goal is to allow (from outside the stack) some users to assume MyRole . 创建后，目标是允许（从堆栈外部）某些用户承担MyRole 。

My question: How should the role be defined in order to attach that policy ? 我的问题：如何定义角色以附加该策略？

The AWS help page of the role properties suggests to use the ManagedPolicyArns , but I get various errors depending on how I refer to MyPolicy : 角色属性的AWS帮助页面建议使用ManagedPolicyArns ，但是根据我对MyPolicy引用方式，我会遇到各种错误：

If I use the GetAtt function to retrieve the policy's arn , I get an error at the template validation: 如果我使用GetAtt函数检索策略的arn ，则在模板验证时会收到错误消息：

"ManagedPolicyArns": [ { "Fn::GetAtt" : [ "MyPolicy", "Arn" ] } ]

Template error: resource MyPolicy does not support attribute type Arn in Fn::GetAtt 模板错误：资源MyPolicy不支持Fn :: GetAtt中的属性类型Arn

And If I use the Join function to build the policy's arn , I get an error during the role creation. 而且，如果我使用Join函数来构建策略的arn ，那么在角色创建过程中会出错。

"ManagedPolicyArns": [ { "Fn::Join" : [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ":policy/", { "Ref": "MyPolicy" } ] ] } ]

ARN arn:aws:iam::aws:policy/arn:aws:iam::«my-account-id»:policy/MyPolicy is not valid. ARN arn：aws：iam :: aws：policy / arn：aws：iam ::«my-account-id»：policy / MyPolicy无效。 (Service: AmazonIdentityManagement; Status Code: 400; Error Code: InvalidInput; Request ID: «an-id») （服务：AmazonIdentityManagement；状态代码：400；错误代码：InvalidInput；请求ID：«an-id»）

Below is my stack definition using JSON format: 以下是我使用JSON格式的堆栈定义：

{
    "AWSTemplateFormatVersion" : "2010-09-09",
    "Resources" : {
        "MyPolicy" : {
            "Type": "AWS::IAM::ManagedPolicy",
            "Properties": {
                "ManagedPolicyName" : "MyPolicy",
                "PolicyDocument" : {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Action": [ "s3:*" ],
                            "Resource": "arn:aws:s3:::the-bucket"
                        }
                    ]
                }
            }
        },

        "MyRole" : {
            "Type": "AWS::IAM::Role",
            "RoleName": "MyRole",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": { "AWS": {"Fn::Join" : [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } },,
                        "Action": [ "sts:AssumeRole" ]
                    }
                ]
            },
            "ManagedPolicyArns": [
                { "Fn::GetAtt" : [ "MyPolicy", "Arn" ] }
            ]
        }
    }
}

Answer 1

{"Ref": "MyPolicy"} will return the ARN of the managed policy created by your stack. {"Ref": "MyPolicy"}将返回由您的堆栈创建的托管策略的ARN。 Your error message indicates that. 您的错误消息表明。 Also, check this AWS documentation. 另外，请查阅此 AWS文档。

AWS云形成堆栈中角色的托管策略

问题描述

1 个解决方案

解决方案1
0 2018-06-11 15:08:11

AWS云形成堆栈中角色的托管策略

问题描述

1 个解决方案

解决方案1 0 2018-06-11 15:08:11

解决方案1
0 2018-06-11 15:08:11