CloudFormation 无权对资源执行:iam:PassRole
[英]CloudFormation is not authorized to perform: iam:PassRole on resource
问题描述
This is part of the code of my template.yml in Cloud9:
这是我在 Cloud9 中template.yml的代码的一部分:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs6.10
CodeUri: .
Description: Updates records in the AppConfig table.
MemorySize: 128
Timeout: 3
Role: 'arn:aws:iam::579913947261:role/FnRole'
Events:
Api1:
Type: Api
Properties:
When I commit the changes in Cloud9, deployment fails at CodePipeline Deploy stage while trying ExecuteChangeSet .当我在 Cloud9 中提交更改时,在 CodePipeline Deploy 阶段尝试ExecuteChangeSet部署失败。 I get this error:我收到此错误:
CloudFormation is not authorized to perform: iam:PassRole on resource
Can anyone help?任何人都可以帮忙吗?
5 个解决方案
解决方案1
22 2018-08-18 21:30:48
While I can't say specifically what happened in your situation, the error message means that the Role/User that CloudFormation used to deploy resources did not have appropriate iam:PassRole permissions.虽然我无法具体说明您的情况发生了什么,但错误消息意味着 CloudFormation 用于部署资源的角色/用户没有适当的iam:PassRole权限。
The iam:PassRole permission is used when assigning a role to resources.将角色分配给资源时使用iam:PassRole权限。 For example, when an Amazon EC2 instance is launched with an IAM Role, the entity launching the instance requires permission to specify the IAM Role to be used.例如,当使用 IAM 角色启动 Amazon EC2 实例时,启动实例的实体需要指定要使用的 IAM 角色的权限。 This is done to prevent users gaining too much permission .这样做是为了防止用户获得过多的权限。 For example, a non-administrative user should not be allowed to launch an instance with an Administrative role, since they would then gain access to additional permissions to which they are not entitled.例如,不应允许非管理用户启动具有管理角色的实例,因为他们随后将获得对他们无权获得的其他权限的访问权限。
In the case of your template, it would appear that CloudFormation is creating a function and is assigning the FnRole permission to that function.对于您的模板,似乎 CloudFormation 正在创建一个函数并将FnRole权限分配给该函数。 However, the CloudFormation template has not been given permission to assign this role to the function .但是,尚未授予CloudFormation 模板将此角色分配给函数的权限。
When a CloudFormation template is launched, it either provisions resources as the user who is creating the stack, or using an IAM Role specified when the stack is launched.启动 CloudFormation 模板时,它要么以创建堆栈的用户身份配置资源,要么使用启动堆栈时指定的 IAM 角色。 It is that User/Role that requires the iam:PassRole permissions to use FnRole .正是用户/角色需要iam:PassRole权限才能使用FnRole 。
解决方案2
20 已采纳 2018-08-22 04:47:23
User: arn:aws:sts::156478935478:assumed-role/CodeStarWorker-AppConfig-CloudFormation/AWSCloudFormation is not authorized to perform: iam:PassRole on resource: arn:aws:iam::156478935478:role/service-role/FnRole(Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 129f601b-a425-11e8-9659-410b0cc8f4f9)
From this log you can tell what policy ( iam:PassRole ) needs to be assigned to the CloudFormation role for your stack ( CodeStarWorker-AppConfig-CloudFormation ).从这个日志中,您可以知道需要为您的堆栈 ( CodeStarWorker-AppConfig-CloudFormation iam:PassRole ) 分配什么策略 ( iam:PassRole ) 给iam:PassRole角色。
You should:你应该:
- Go
IAM > Roles转到IAM > Roles - Type in search
CodeStarWorker-AppConfig-CloudFormation输入搜索CodeStarWorker-AppConfig-CloudFormation - Open that role and go to
Permissions打开该角色并转到Permissions - Find
CodeStarWorkerCloudFormationRolePolicy, expand it, goEdit policy找到CodeStarWorkerCloudFormationRolePolicy,展开它,去Edit policy - In this following section under resources add ARN of your role (
arn:aws:iam::579913947261:role/FnRole), if you don't have that section just copy and paste this, but underResourcesuse yours ARNs.在下面的资源部分中,添加您角色的 ARN ( arn:aws:iam::579913947261:role/FnRole),如果您没有该部分,只需复制并粘贴它,但在Resources下使用您的 ARN。
Policy:政策:
{
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::156478935478:role/CodeStarWorker-AppConfig-Lambda",
"arn:aws:iam::579913947261:role/FnRole"
],
"Effect": "Allow"
}
If you want to assign that permission to all resources ( "Resource": "*" ) find this following section and above under actions add the permission you want to assign:如果您想将该权限分配给所有资源 ( "Resource": "*" ),请在操作下找到以下部分及以上添加您要分配的权限:
"Resource": "*",
"Effect": "Allow"
You can do apply this for all others permissions you want to assign to CloudFormation for your resources.您可以将此应用于要为您的资源分配给 CloudFormation 的所有其他权限。
解决方案3
0 2019-02-08 15:57:28
If you change the name of the role from: RoleName: 'arn:aws:iam::579913947261:role/FnRole'如果您将角色名称更改为: RoleName: 'arn:aws:iam::579913947261:role/FnRole'
To include the prefix of CodeStar-${ProjectId} then the role can be created/updated/etc without having to modify the IAM policy of the CodeStarWorker-AppConfig-CloudFormation role.要包含 CodeStar-${ProjectId} 的前缀,则可以创建/更新/等操作,而无需修改CodeStarWorker-AppConfig-CloudFormation角色的 IAM 策略。 eg RoleName: !Sub 'CodeStar-${ProjectId}-[FunctionName]'例如RoleName: !Sub 'CodeStar-${ProjectId}-[FunctionName]'
I posted a full explanation here: Change IAM Role for a Lambda in a CloudFormation template in a CodeStar project?我在此处发布了完整说明: 在 CodeStar 项目中的 CloudFormation 模板中更改 Lambda 的 IAM 角色?
解决方案4
0 2020-10-31 11:31:06
To enable we reduce the complications on how people get along with AWS.为了使我们能够减少人们与 AWS 相处的复杂性。
The action part in the policy Json has to be updated.必须更新策略 Json 中的操作部分。
"iam:PassRole"
Should be added to the action block bracket in the policy file.应添加到策略文件中的操作块括号中。
解决方案5
0 2021-07-14 18:16:21
You just need to put this in your policy你只需要把它放在你的政策中
{
"Sid": "PolicyStatementToAllowUserToPassOneSpecificRole",
"Effect": "Allow",
"Action": [ "iam:PassRole" ],
"Resource": "arn:aws:iam::<account-id>:role/RDS-Monitoring-Role"
}
Link https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html链接https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.