I am trying to move this iam role from CloudFormation to AWS CDK. I cant seem to find any good examples of this in Python. The Condition is where I am stuck at the moment. Has anyone created a role similar to this in Python?
CognitoUnAuthorizedRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": !Ref IdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": unauthenticated
Policies:
- PolicyName: "CognitoAuthorizedPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "cognito-sync:*"
Resource: !Join [ "", [ "arn:aws:cognito-sync:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":identitypool/", !Ref IdentityPool] ]
- Effect: Allow
Action:
- iot:Connect
Resource: !Join [ "", [ "arn:aws:iot:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":client/theme*" ] ]
- Effect: Allow
Action:
- iot:Subscribe
Resource: "*"
- Effect: Allow
Action:
- iot:Receive
Resource: !Join [ "", [ "arn:aws:iot:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":topic/*" ] ]
You should search the method in the lib, eg.
auth_role = aws_iam.Role(
self,
'ApiGwAuthRole',
assumed_by=aws_iam.ServicePrincipal("apigateway.amazonaws.com")
)
Add policy to a resource
_sqs.add_to_resource_policy(
statement=aws_iam.PolicyStatement(
effect=aws_iam.Effect.ALLOW,
actions=['sqs:SendMessage'],
resources=[_sqs.queue_arn],
principals=[aws_iam.AnyPrincipal()],
conditions={
"ArnEquals": {"aws:SourceArn": _source.ref}
}
)
)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.