[英]Cloudformation template to create a role for SQS
我正在尝试使用cloudformation模板创建具有嵌入式策略的角色:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"SQSRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "sqs.amazonaws.com" ]
},
"Action": [
"SQS:SendMessage",
"SQS:ReceiveMessage",
"SQS:DeleteMessage",
"SQS:GetQueueUrl"
]
} ]
},
"Path": "/"
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ {
"Ref": "SQSRole"
} ]
}
}
}
}
它给出错误“策略中的无效主体:“ SERVICE”:“ sqs.amazonaws.com”。
我还尝试通过替换SQS队列的确切URL:“ SERVICE”:“ sqs.ap-south-1.amazonaws.com/710161973367/CFI-Trace”
仍然给出相同的错误。 不确定要为sqs指定什么服务。
如果尝试创建要由EC2实例承担的IAM角色,则应改用以下方法:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"SQSRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "SqsAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"SQS:SendMessage",
"SQS:ReceiveMessage",
"SQS:DeleteMessage",
"SQS:GetQueueUrl"
],
"Resource": [
"*"
]
}
]
}
}
]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "SQSRole"
}
]
}
}
}
}
请注意,现在将担当您IAM角色的服务是ec2.amazonaws.com
。 而且,现在仅允许EC2服务承担您的IAM角色(通过sts:AssumeRole
)。 最后,您所有的sqs:*
操作已移至IAM角色的“ Policies
属性中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.