[英]Using AWS::Region in Policy Resources
I am trying to dynamically change the s3 resource name based on current cloud formation stack region.我正在尝试根据当前的云形成堆栈区域动态更改 s3 资源名称。 Cloudformation stack updates without any error. Cloudformation 堆栈更新没有任何错误。 Am I doing something wrong?难道我做错了什么? I am expecting to have a policy with {AWS::Region} resolved to us-east-1.我期待将 {AWS::Region} 的策略解析为 us-east-1。
Version: 2012-10-17
Statement:
- Sid: RestrictS3Access
Effect: Allow
Action:
- 's3:GetObject'
Resource:
- !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${cognito-identity.amazonaws.com:sub}"
- !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${cognito-identity.amazonaws.com:sub}/*"
I am expecting to see the policy as follows.我期待看到如下政策。 I am checking results from aws console.我正在检查来自 aws 控制台的结果。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::dnsa-us-east-1/${cognito-identity.amazonaws.com:sub}",
"arn:aws:s3:::dnsa-us-east-1/${cognito-identity.amazonaws.com:sub}/*"
],
"Effect": "Allow",
"Sid": "RestrictS3Access"
}
If you want ${cognito-identity.amazonaws.com:sub}
to remain unchanged, you need to escape it with ${!}
.如果您希望${cognito-identity.amazonaws.com:sub}
保持不变,则需要使用${!}
对其进行转义。
Version: 2012-10-17
Statement:
- Sid: RestrictS3Access
Effect: Allow
Action:
- 's3:GetObject'
Resource:
- !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${!cognito-identity.amazonaws.com:sub}"
- !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${!cognito-identity.amazonaws.com:sub}/*"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.