如何在 aws cloudformation 模板中限制特定于 SQS 的 IAM 角色
[英]How to restrict IAM Role specific to SQS in aws cloudformation template
问题描述
I am new to aws cloudformation template, I want to restrict below role to SQS service only.
我是 aws cloudformation 模板的新手,我只想将以下角色限制为 SQS 服务。 Please suggest how can I achieve same using conditional.请建议我如何使用条件来实现相同的目标。
My template sample::我的模板样本::
AWSTemplateFormatVersion: 2010-09-09
Description: >-
This template creates Role
Parameters:
vpcname:
Type: String
Description: Enter vpcname
Resources:
ErrorQueueRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Join ["",[ErrorQueueRole.,!Ref vpcname]]
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- sqs.amazonaws.com
Action:
- sts:AssumeRole
Condition:
StringEquals:
1 个解决方案
解决方案1
2 2020-07-15 07:03:56
SQS uses a SQS policy not an IAM role , so you would be limited here to the functionality that this provides. SQS 使用SQS 策略而不是 IAM 角色,因此您将在此处受限于它提供的功能。
A limited number of services such as SNS, Lambda and S3 support what are commonly known as resource policies . SNS、Lambda 和 S3 等数量有限的服务支持通常所说的资源策略。 Assuming the service (SQS) supports functionality to connect to the service you would need to add the Arn to the service you're trying to trigger.假设服务 (SQS) 支持连接到服务的功能,您需要将 Arn 添加到您尝试触发的服务中。
For example allowing SQS to invoke a Lambda, would require you modify the Lambda function policy such as例如,允许 SQS 调用 Lambda,将需要您修改 Lambda function 策略,例如
{
"Sid": "sqs",
"Effect": "Allow",
"Principal": {
"Service": "sqs.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-2:123456789012:function:my-function"
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.