stackoom
  简体   繁体   中英

AWS Python CDK - Account specific resource on policy creation

 原文  2021-07-21 10:28:34       python/ amazon-web-services/ aws-cdk

Question

I'm trying to create an AWS policy to grant the kms:CreateKey permission to a principal. I'm having trouble defining the Resource part of the policy.

By reading the docs I found out that I can specify something like this:

arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:*

instead of the regular * .

My question is, how can I achieve this using the Python CDK?

2 answers

solution1
 0  2021-07-21 17:50:25

You can create an IAM policy like this:

iam.PolicyStatement(
    # effect is optional.  It can be DENY or ALLOW, and it defaults to ALLOW
    effect=iam.Effect.ALLOW,

    # Specifies a list of actions this principal is allowed/denied to call.
    actions=[
        # Specify a specific action
        'kms:CreateKey',
        # Or, you can specify all actions of a specific service:
        'kms:*',
    ],

    # Resources this principal can act on. 
    resources=[
        # All keys in your account, in your region
        'arn:aws:kms:<YOUR REGION>:<YOUR ACCOUNT ID>:key/*',
        
        # All aliases in your account, in your region
        'arn:aws:kms:<YOUR REGION>:<YOUR ACCOUNT ID>:alias/*',
    ],
)

I very highly recommend playing around in the interactive IAM Policy editor , which gives a fantastic view of all required/possible things you can do when creating a policy, including advanced ARN composition.

solution2
 0  2021-07-28 09:26:53

You can do it by using predefined env variables in Python related to AWS CLI/AWS CDK. in this case you can do it in a following way:

arn = f"arn:AWS_partition_name:kms:{os.getenv('CDK_DEFAULT_REGION')}:{os.getenv('CDK_DEFAULT_ACCOUNT')}:*"

here is the full picture how to add it role:

role = _iam.Role(self, "lambda_emr_launcher_role", 
                 role_name="_trackit-emr-launcher-role",
                 description="Service role for self-titled Lamdbda",
                 assumed_by=_iam.ServicePrincipal("lambda.amazonaws.com"),
                 managed_policies=[_iam.ManagedPolicy.from_aws_managed_policy_name("service-role/AWSLambdaBasicExecutionRole")],
                                   inline_policies={
                                         "Policy_KMS": _iam.PolicyDocument(statements=[
                                             _iam.PolicyStatement(effect=_iam.Effect.ALLOW,
                                                                  principals=["principal_example1"],
                                                                  resources=[f"arn:AWS_partition_name:kms:{os.getenv('CDK_DEFAULT_REGION')}:{os.getenv('CDK_DEFAULT_ACCOUNT')}:*"],
                                                                  actions=["kms:CreateKey"])])})

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Python AWS CDK resource already exists error How to create API Gateway Resource Policy that references itself in the Python CDK? Project (AWS CDK) and Lambda specific python imports Unable to write policy document in aws cdk using python Python AWS CDK Custom resource only executes the first time How to add an existing resource to stack using Python AWS-CDK? AWS CDK How to include principals in IAM policy? aws cdk passing values to a lambda custom resource AWS CDK Creating RAM Resource Share with Python CfnResourceShare results in Template format error: JSON not well-formed Multiple Instance AWS CDK python
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM