[英]Circular dependency in Cloudformation template between IAM resources
I keep hitting circular dependency error in my cloudformation template and not sure how I can eliminate that.我一直在我的 cloudformation 模板中遇到循环依赖错误,但不确定如何消除它。 I am creating a user and attaching the
IAMManagedPolicy2
to the user.我正在创建一个用户并将
IAMManagedPolicy2
附加到用户。 The policy allows the user to assume two roles, IAMRole
and IAMRole2
.该策略允许用户承担两个角色,
IAMRole
和IAMRole2
。 IAMRole2
requires defining the assume permission for the user. IAMRole2
需要为用户定义假定权限。 This is probably the reason why I am hitting the circular dependency in my case.这可能是我在我的案例中遇到循环依赖的原因。 Here is how my template looks like:
这是我的模板的样子:
AWSTemplateFormatVersion: "2010-09-09"
Metadata:
Generator: "former2"
Description: ""
Resources:
IAMUser:
Type: "AWS::IAM::User"
Properties:
Path: "/"
UserName: "sysuser"
ManagedPolicyArns:
- !Ref IAMManagedPolicy2
IAMGroup:
Type: "AWS::IAM::Group"
Properties:
Path: "/"
GroupName: "Temp"
IAMManagedPolicy2:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: "UserAssumePolicy"
Path: "/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::*:role/${IAMRole}",
"arn:aws:iam::*:role/${IAMRole2}"
]
}
]
}
IAMRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
RoleName: "AddUserToGroupRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
AWS:
- !GetAtt IAMUser.Arn
Action:
- "sts:AssumeRole"
MaxSessionDuration: 3600
ManagedPolicyArns:
- !Ref IAMManagedPolicy3
Description: "Allows Adding users to group"
IAMRole2:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
RoleName: "AttachGroupPolicyRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
AWS:
- !GetAtt IAMUser.Arn
Service:
- "ec2.amazonaws.com"
Action:
- "sts:AssumeRole"
MaxSessionDuration: 3600
ManagedPolicyArns:
- !Ref IAMManagedPolicy
Description: ""
Tags:
-
Key: "event"
Value: "troopers"
IAMManagedPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: "AttachGroupPolicy"
Path: "/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:AttachGroupPolicy",
"Resource": [
"arn:aws:iam::*:group/${IAMGroup}"
]
}
]
}
IAMManagedPolicy3:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: "AddUserToGroup"
Path: "/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:AddUserToGroup",
"Resource": [
"arn:aws:iam::*:group/${IAMGroup}"
]
}
]
}
Can someone help me point out the changes to eliminate the circular dependency and get the template to work,有人可以帮我指出消除循环依赖并使模板工作的更改吗,
Since you are hardcoding the role names ( AddUserToGroupRole
and AttachGroupPolicyRole
), you must use the names directly to overcome the circular dependency problem:由于您对角色名称(
AddUserToGroupRole
和AttachGroupPolicyRole
)进行了硬编码,因此您必须直接使用名称来克服循环依赖问题:
IAMManagedPolicy2:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: "UserAssumePolicy"
Path: "/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::*:role/AddUserToGroupRole",
"arn:aws:iam::*:role/AttachGroupPolicyRole"
]
}
]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.