What I'm trying to do is create an IAM policy that only gives access to a certain S3 bucket and I want to pass that S3 bucket as a parameter.
From AWS's documentation, this is what an IAM policy CloudFormation template looks like:
"RolePolicies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
},
The question is, how do you make "Resource" a parameter? The parameter should be the arn of the S3 bucket (ex. arn:aws:s3:::s3-bucket-name). Would I simply put in a string type parameter and type out the whole arn or would it be something like AWS::S3::Bucket type? Either way, I'm not sure what to type in after "Resource".
Thanks!
You can use Ref with Fn::Join or Fn::Sub
For example:
"Parameters" : {
"BucketName" : {
"Type" : "String",
"Description" : "S3 Bucket name."
}
}
With Ref and Fn::Join
...
"Resource": { "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "BucketName"} ] ] }
...
With Fn::Sub :
...
"Resource": { "Fn::Sub": [ "arn:aws:s3:::${BucketName}" ] }
...
More info about template parameters here
A little late to the party.
If your bucket is declared in Resources, like this:
...
Resources:
MyBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: my-bucket-name
...
...Then you can easily refer to it's ARN using Fn::GetAtt:
Resource:
Fn::GetAtt: [ MyBucket, "Arn" ]
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.