stackoom
  简体   繁体   中英

aws iam role move from CloudFormation to CDK

 原文  2020-11-06 14:08:52       python/ amazon-iam/ aws-cdk

Question

I am trying to move this iam role from CloudFormation to AWS CDK. I cant seem to find any good examples of this in Python. The Condition is where I am stuck at the moment. Has anyone created a role similar to this in Python?

  CognitoUnAuthorizedRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument: 
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal: 
              Federated: "cognito-identity.amazonaws.com"
            Action: 
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals: 
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              "ForAnyValue:StringLike":
                "cognito-identity.amazonaws.com:amr": unauthenticated
      Policies:
        - PolicyName: "CognitoAuthorizedPolicy"
          PolicyDocument: 
            Version: "2012-10-17"
            Statement: 
              - Effect: "Allow"
                Action:
                  - "cognito-sync:*"
                Resource: !Join [ "", [ "arn:aws:cognito-sync:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":identitypool/", !Ref IdentityPool] ]
              - Effect: Allow
                Action:
                  - iot:Connect
                Resource: !Join [ "", [ "arn:aws:iot:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":client/theme*" ] ]
              - Effect: Allow
                Action:
                  - iot:Subscribe
                Resource: "*"
              - Effect: Allow
                Action:
                  - iot:Receive
                Resource: !Join [ "", [ "arn:aws:iot:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":topic/*" ] ]

1 answers

solution1
 0  2020-12-23 18:00:51

You should search the method in the lib, eg.

auth_role = aws_iam.Role(
        self,
        'ApiGwAuthRole',
        assumed_by=aws_iam.ServicePrincipal("apigateway.amazonaws.com")
)

Add policy to a resource

_sqs.add_to_resource_policy(
        statement=aws_iam.PolicyStatement(
            effect=aws_iam.Effect.ALLOW,
            actions=['sqs:SendMessage'],
            resources=[_sqs.queue_arn],
            principals=[aws_iam.AnyPrincipal()],
            conditions={
                "ArnEquals": {"aws:SourceArn": _source.ref}
            }
        )
    )

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question IAM Role Conditions in AWS CDK Python AWS CDK How to include principals in IAM policy? How to attach a managed policy to a an IAM role using the CDK AWS CDK - Create role conditionally in Lambda Function Creating an MFA-protected role with AWS CDK bypasses MFA condition Trying to create an iam role in aws and getting an error on the assumeRolePolicyDocument AWS Boto3 No Credential Error IAM role K8S How to list available policies for an assumed AWS IAM role Creating AWS SES SMTP credentials using IAM Role How to get temporary IAM programmatic access using IAM role without setting up aws configure?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM