堆栈内存溢出
  简体   繁体   English

使用 AWS-CDK 创建新的 IAM 角色时创建自定义信任策略

[英]Creating a custom trust policy when creating a new IAM role using AWS-CDK

 原文  2022-04-27 06:59:06       aws-cdk

问题描述

I'm trying to create a custom trust policy for an IAM role I'm creating via AWS-CDK.我正在尝试为我通过 AWS-CDK 创建的 IAM 角色创建自定义信任策略。 Below is the JSON I'm trying to implement.下面是我正在尝试实现的 JSON。 Not sure if 'custom' is the right term but it's something other than new iam.ServicePrincipal class.不确定“自定义”是否是正确的术语,但它不是新的 iam.ServicePrincipal class。

{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::XXXX:root"
                },
                "Action": "sts:AssumeRole",
                "Condition": {
                    "StringEquals": {
                        "sts:ExternalId": "XXXXX"
                    }
                }
            }
            ]
        }

I've tried doing to following in my build but it keeps failing on me with the error below.我已经尝试在我的构建中执行以下操作,但由于以下错误,它一直在我身上失败。

    const externalPolicyDocument = {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::XXXX:root"
                },
                "Action": "sts:AssumeRole",
                "Condition": {
                    "StringEquals": {
                        "sts:ExternalId": "XXXX"
                    }
                }
            }
            ]
        }

        const jsonCustomDocument = iam.PolicyDocument.fromJson(externalPolicyDocument);
        
        new iam.Role(this, `${kinesisData.iamRole}`, {
            //assumedBy: new iam.ServicePrincipal(`kinesis.amazonaws.com`),
            assumedBy: jsonCustomDocument,
            description: `${kinesisData.iamDescription}`,
            roleName: `${kinesisData.iamRoleName}`,
            inlinePolicies: {
                kinesisPolicy: kinesisIAMStatement,
                kmsPolicy: kinesisKMS
            }
        })

Below is the error I get:以下是我得到的错误:

/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/node_modules/@aws-cdk/aws-iam/lib/policy-statement.js:141
            util_1.mergePrincipal(this.principal, fragment.principalJson);
                                                           ^

TypeError: Cannot read property 'principalJson' of undefined
    at AwsStarStatement.addPrincipals (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/node_modules/@aws-cdk/aws-iam/lib/policy-statement.js:141:60)
    at createAssumeRolePolicy (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/node_modules/@aws-cdk/aws-iam/lib/role.js:317:15)
    at new Role (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/node_modules/@aws-cdk/aws-iam/lib/role.js:64:33)
    at new kinesisSinkBuild (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/resources/kinesis_build.js:77:9)
    at new MainStack (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/lib/aws-cdk-stack.js:18:26)
    at Object.<anonymous> (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/bin/aws-cdk.js:28:1)
    at Module._compile (internal/modules/cjs/loader.js:1085:14)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
    at Module.load (internal/modules/cjs/loader.js:950:32)
    at Function.Module._load (internal/modules/cjs/loader.js:790:12)
Subprocess exited with error 1

1 个解决方案

解决方案1
 1 已采纳  2022-04-27 09:53:29

Define an Account Principal with conditions:定义一个有条件的账户主体

assumedBy: new iam.AccountPrincipal('123456789012').withConditions({
  StringEquals: {
    'sts:ExternalId': 'XXXX',
  },
});

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我想使用 AWS CDK 更新现有 IAM 角色的信任策略 - I want to update the trustpolicy of existing IAM role using AWS CDK 使用 AWS CDK 创建 AWS DMS 任务 - Creating an AWS DMS task using AWS CDK Terraform AWS IAM 角色“inline_policy.0.policy”包含使用 ${file xyz} 和 jsonencode 的无效 JSON 策略 - Terraform AWS IAM Role “inline_policy.0.policy” contains an invalid JSON policy using ${file xyz} and jsonencode 参数目标的类型必须是 aws_cdk.CfnResource; 取而代之的是 aws_cdk.aws_iam.Role - type of argument target must be aws_cdk.CfnResource; got aws_cdk.aws_iam.Role instead aws_iam_role 和aws_iam_role_policy 是什么意思? - What is the meaning of aws_iam_role and aws_iam_role_policy? 如何通过 aws-cdk 将自定义指标和警报添加到 AWS Lambda 函数 - How to add custom Metric and Alarm to AWS Lambda function via aws-cdk AWS CDK - 创建路由表时获取 InvalidRouteTableId.Malformed - AWS CDK - Getting InvalidRouteTableId.Malformed when creating Route Table AWS CDK:如何通过名称获取已创建角色或策略的“Arn” - AWS CDK : how to get 'Arn' of an already created role or policy by their names 在 typescript 中获取 aws-cdk 错误 - Getting aws-cdk errors in typescript 是否可以使用 aws-cdk 创建多账户设置? - Is it possible to create a multi-account set up using aws-cdk?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM