AWS CDK 如何在 IAM 策略中包含委托人？

Question

Hi I am working on AWS CDK.您好，我正在研究 AWS CDK。 I am trying to create resource based policy.我正在尝试创建基于资源的策略。 Below is my cloud formation template.下面是我的云形成模板。

MWSECRRepository:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: "location/location-service"
      RepositoryPolicyText:
        Version: "2012-10-17"
        Statement:
          - Sid: CurrentAccountPush
            Effect: Allow
            Principal:
              AWS:
                - 'arn:aws:iam::1234:root'  # dev
                - 'arn:aws:iam::1234:root'  # nonprod
                - 'arn:aws:iam::1234:root'  # prod
            Action:
              - 'ecr:GetDownloadUrlForLayer'
              - 'ecr:PutImage'
              - 'ecr:InitiateLayerUpload'
              - 'ecr:UploadLayerPart'
              - 'ecr:CompleteLayerUpload'

Below I am trying to create same using CDK.下面我正在尝试使用 CDK 创建相同的内容。

 ECRRepository = ecr.Repository(self, id = "ECR", repository_name = "location/location-service");
        ECRRepository.add_to_resource_policy(iam.PolicyStatement(
            effect=iam.Effect.ALLOW,
            actions=["ecr:GetDownloadUrlForLayer","ecr:PutImage","ecr:InitiateLayerUpload","ecr:UploadLayerPart","ecr:CompleteLayerUpload"],
            principals=["arn:aws:iam::123:root","arn:aws:iam::123:root","arn:aws:iam::123:root"]
        ));


        ECRRepository.add_to_resource_policy(iam.PolicyStatement(
            effect=iam.Effect.ALLOW,
            #principals=["arn:aws:iam::123:root","arn:aws:iam::123:root","arn:aws:iam::123:root"]
            actions=["ecr:GetDownloadUrlForLayer","ecr:BatchGetImage","ecr:BatchCheckLayerAvailability"]
        ));

        ECRRepository.add_lifecycle_rule(description="Image retention",  max_image_count=100, rule_priority=1);

This results in below error这导致以下错误

Error: Expected object reference, got "arn:aws:iam::123:root"错误：预期的对象引用，得到“arn:aws:iam::123:root”

Can someone help me to write correct syntax using python?有人可以帮助我使用 python 编写正确的语法吗？ Any help would be appreciated.任何帮助，将不胜感激。 Thanks谢谢

Answer 1

principals needs to be a list of IPrincipal instead of strings principals需要是IPrincipal的列表而不是strings

ECRRepository.add_to_resource_policy(iam.PolicyStatement(
            effect=iam.Effect.ALLOW,
            actions=["ecr:GetDownloadUrlForLayer","ecr:PutImage","ecr:InitiateLayerUpload","ecr:UploadLayerPart","ecr:CompleteLayerUpload"],
            principals=[iam.ArnPrincipal("aws:iam::1234:root")]
        ));

AWS CDK 如何在 IAM 策略中包含委托人？

问题描述

1 个解决方案

解决方案1
4 已采纳 2019-12-04 09:54:15

AWS CDK 如何在 IAM 策略中包含委托人？

问题描述

1 个解决方案

解决方案1 4 已采纳 2019-12-04 09:54:15

解决方案1
4 已采纳 2019-12-04 09:54:15