stackoom
  简体   繁体   中英

AWS CDK - role and policy creation

 原文  2020-05-29 21:20:24       amazon-web-services/ amazon-cloudformation/ aws-cdk

Question

How can I translate this CloudFormation to CDK (JavaScript or Java)? I was trying to do it, but this is the first time that I work with CDK and I'm not sure how to do it.

FargateTaskExecutionServiceRole:
Type: AWS::IAM::Role
Properties:
  AssumeRolePolicyDocument:
    Statement:
    - Effect: Allow
      Principal:
        Service: 
          - ecs-tasks.amazonaws.com
      Action:
        - sts:AssumeRole
  Policies:
    - PolicyName: AmazonECSTaskExecutionRolePolicy
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Action:
            - 'ecr:GetAuthorizationToken'
            - 'ecr:BatchCheckLayerAvailability'
            - 'ecr:GetDownloadUrlForLayer'
            - 'ecr:BatchGetImage'
            - 'logs:CreateLogStream'
            - 'logs:PutLogEvents'
          Resource: '*'

1 answers

solution1
 17 ACCPTED  2020-05-29 21:42:35

You should refer to API reference document to get a clear picture. There are examples for such use cases.

However, since you have already asked here and my hands has been itchy to provide you with an answer, so here goes the TypeScript implementation of just the IAM part:

import { 
   ManagedPolicy, 
   Role, 
   ServicePrincipal, 
   PolicyStatement, 
   Effect 
} from '@aws-cdk/aws-iam';

....
....

const ecsFargateServiceRole = new Role(this, 'FargateTaskExecutionServiceRole', {
  assumedBy: new ServicePrincipal('ecs-tasks.amazonaws.com')
});

// Add a policy to a Role
ecsFargateServiceRole.addToPolicy(
  new PolicyStatement({
    effect: Effect.ALLOW,
    resources: ['*'],
    actions: [            
      'ecr:GetAuthorizationToken',
      'ecr:BatchCheckLayerAvailability',
      'ecr:GetDownloadUrlForLayer',
      'ecr:BatchGetImage',
      'logs:CreateLogStream',
      'logs:PutLogEvents'
    ]
  })
);

// Add a managed policy to a role you can use
ecsFargateServiceRole.addManagedPolicy(
    ManagedPolicy.fromAwsManagedPolicyName('AmazonECSTaskExecutionRolePolicy')
);

....
....

UPDATE:

When you are adding an AWS managed policy to a role, you can get the managed policy as a reference by its name or by its ARN . The important part is that if an AWS Managed policy is used as above by its name or ARN, then you will not need to use the policy statement explicitly. From my answer above, you can use the managed policy approach rather than using the policy statement.

An easy way to define the role now would be:

const ecsFargateServiceRole = new Role(this, 'FargateTaskExecutionServiceRole', {
  assumedBy: new ServicePrincipal('ecs-tasks.amazonaws.com'),
  managedPolicies: [
    ManagedPolicy.fromAwsManagedPolicyName('AmazonECSTaskExecutionRolePolicy')
  ]
});

Note that I have excluded the constructor for the Construct for brevity.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS CDK : how to get 'Arn' of an already created role or policy by their names AWS Python CDK - Account specific resource on policy creation Adding managed policy aws with cdk AWS CDK deploy using role AWS CDK Custom Resource Creation AWS CDK - SecurityGroup creation Typescript AWS Admin Role Policy Give AWS Lambda an AWS Managed Policy with CDK Attach an existing role to AWS Lambda with AWS CDK AWS CDK How to include principals in IAM policy?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM