[英]Creating a custom trust policy when creating a new IAM role using AWS-CDK
I'm trying to create a custom trust policy for an IAM role I'm creating via AWS-CDK.我正在尝试为我通过 AWS-CDK 创建的 IAM 角色创建自定义信任策略。 Below is the JSON I'm trying to implement.
下面是我正在尝试实现的 JSON。 Not sure if 'custom' is the right term but it's something other than new iam.ServicePrincipal class.
不确定“自定义”是否是正确的术语,但它不是新的 iam.ServicePrincipal class。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXX:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "XXXXX"
}
}
}
]
}
I've tried doing to following in my build but it keeps failing on me with the error below.我已经尝试在我的构建中执行以下操作,但由于以下错误,它一直在我身上失败。
const externalPolicyDocument = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXX:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "XXXX"
}
}
}
]
}
const jsonCustomDocument = iam.PolicyDocument.fromJson(externalPolicyDocument);
new iam.Role(this, `${kinesisData.iamRole}`, {
//assumedBy: new iam.ServicePrincipal(`kinesis.amazonaws.com`),
assumedBy: jsonCustomDocument,
description: `${kinesisData.iamDescription}`,
roleName: `${kinesisData.iamRoleName}`,
inlinePolicies: {
kinesisPolicy: kinesisIAMStatement,
kmsPolicy: kinesisKMS
}
})
Below is the error I get:以下是我得到的错误:
/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/node_modules/@aws-cdk/aws-iam/lib/policy-statement.js:141
util_1.mergePrincipal(this.principal, fragment.principalJson);
^
TypeError: Cannot read property 'principalJson' of undefined
at AwsStarStatement.addPrincipals (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/node_modules/@aws-cdk/aws-iam/lib/policy-statement.js:141:60)
at createAssumeRolePolicy (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/node_modules/@aws-cdk/aws-iam/lib/role.js:317:15)
at new Role (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/node_modules/@aws-cdk/aws-iam/lib/role.js:64:33)
at new kinesisSinkBuild (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/resources/kinesis_build.js:77:9)
at new MainStack (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/lib/aws-cdk-stack.js:18:26)
at Object.<anonymous> (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/bin/aws-cdk.js:28:1)
at Module._compile (internal/modules/cjs/loader.js:1085:14)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
at Module.load (internal/modules/cjs/loader.js:950:32)
at Function.Module._load (internal/modules/cjs/loader.js:790:12)
Subprocess exited with error 1
Define an Account Principal with conditions:定义一个有条件的账户主体:
assumedBy: new iam.AccountPrincipal('123456789012').withConditions({
StringEquals: {
'sts:ExternalId': 'XXXX',
},
});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.