stackoom
  简体   繁体   中英

how to create "role" with "Another AWS account" role type by cli command?

 原文  2020-03-15 04:29:42       amazon-web-services/ amazon-iam/ user-roles

Question

I am trying to write a batch file in windows to do below steps by CLI command( actual example ), but I don't know how to create a role and set cli command for "Another AWS account" role type. Do you mind help me?

In the navigation pane on the left, choose Roles and then choose Create role .

Choose the Another AWS account role type.

For Account ID, type the Development account ID .

This tutorial uses the example account ID 111111111111 for the Development account. You should use a valid account ID. If you use an invalid account ID, such as 111111111111, IAM does not let you create the new role.

For now you do not need to require an external ID, or require users to have multi-factor authentication (MFA) in order to assume the role. So leave these options unselected. For more information, see Using Multi-Factor Authentication (MFA) in AWS

Choose Next: Permissions to set the permissions that will be associated with the role.

my codes for creating a role:

call aws iam create-role --role-name xxx-S3-Role --assume-role-policy-document file://trustpolicy.json

my trustpolicy.json

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::222222075333:role/xxx-S3-Role"
  }]
}

I am receiving below error:

An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: Has prohibited field Resource

1 answers

solution1
 1 ACCPTED  2020-03-15 06:11:55

I solve my problem by changing two parts.

1- by fix the path of policy 

aws iam create-role --role-name xxx-S3-Role --assume-role-policy-document file://c:\foldername\trustpolicy.json

2- I change the format of the policy by reverse engineering a policy that I created from the console, the format is in below: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::222222075333:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Aws cli - Role chaining - Use a master role in primary account to assume a secondary role in other account Reverting to the AWS Lambda execution role after assuming a role in another account IAM role to access services of another AWS account How to assume an AWS role from another AWS role? How do I create a role with AWS managed policy using aws-cli? How to assume an AWS role from codebuild to update lambda function in another AWS account? How To Use Terraform To Create an AWS IAM Role with No Assume Role Policy? How to get AWS Glue crawler to assume a role in another AWS account to get data from that account's S3 bucket? AWS: deny users to create Role for Cross-Account Access How do I have an ECS task assume a role from another AWS Account?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM