[英]Creating CloudWatch rule with AWS CloudFormation not linking to role
我正在尝试创建一个按计划触发并执行状态机 (Step Functions) 的 CloudWatch 规则。 我正在使用 CloudFormation 来创建它,除了规则使用的 IAM 角色与规则本身的关联之外,一切都很好。 这就是我的意思:
注意在“使用现有角色”下它是空白的。
这是处理规则及其作用的 CF 模板部分。
"SFInvoke":{
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::Sub": "states.${AWS::Region}.amazonaws.com"
}
},
"Action": "sts:AssumeRole"
}
]
},
"Policies": [
{
"PolicyName": "StepFunctionsInvoke",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:StartExecution"
],
"Resource": { "Ref" : "StateMachine"}
}
]
}
}
]
}
},
"CloudWatchStateMachineSDCEventRule": {
"Type":"AWS::Events::Rule",
"Properties": {
"Description":"CloudWatch trigger for the InSite Static Data Consumer",
"ScheduleExpression": "rate(5 minutes)",
"State":"ENABLED",
"Targets":[{
"Arn":{ "Ref" : "StateMachine"},
"Id":"StateMachineTargetId",
"RoleArn":{
"Fn::GetAtt": [
"SFInvoke",
"Arn"
]
}
}]
}
},
您希望SFInvoke角色显示在Use existing role selector吗?
如果是这种情况,您需要将 Principal 设置为events而不是states 。
您正在编辑上面屏幕截图中的事件目标,而不是步进函数。 Principal 定义可以承担该角色的服务,在您的情况下是事件服务。
试试这个来创建角色:
"SFInvoke":{
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Policies": [
{
"PolicyName": "StepFunctionsInvoke",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:StartExecution"
],
"Resource": { "Ref" : "StateMachine"}
}
]
}
}
]
}
}
Yaml 可能是这样的:
基于主体:作为基于事件的服务和动作:启动 StepFunctions 状态机的执行。
AWSEventsInvokeStepFunctions:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- events.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: AWSEventsInvokeStepFunctions
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- states:StartExecution
Resource: !Sub "arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:*"
现在本质上是通用的角色可以应用于 CloudWatch 事件规则,为规则授予能够基于 Amazon S3 事件启动 StepFunctions 状态机的执行的权限。
AmazonCloudWatchEventRule:
Type: AWS::Events::Rule
Properties:
EventPattern:
source:
- aws.s3
detail-type:
- 'AWS API Call via CloudTrail'
detail:
eventSource:
- s3.amazonaws.com
eventName:
- PutObject
requestParameters:
bucketName:
- !Ref EventBucket
Targets:
-
RoleArn: !GetAtt AWSEventsInvokeStepFunctions.Arn
Arn: !Sub "arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:MyStateMachine"
Id: !Sub "StepExecution"
您可能可以查看更多关于基于 Amazon S3 事件启动状态机的执行
通过 CloudFormation 创建时,AWS 事件桥规则角色未附加到事件桥
[英]AWS event bridge rule role not attaching to event bridge when creating via CloudFormation
AWS Cloudformation:适用于 RDS 的 CloudWatch 警报是否需要 IAM 角色?
[英]AWS Cloudformation : Does CloudWatch Alarm for RDS needs IAM role?
通过 cloudformation 为 fargate launchtype 任务创建 cloudwatch 事件规则的“目标”
[英]creating a 'Target' for a cloudwatch event rule via cloudformation for a fargate launchtype task
将 lambda 目标角色添加到 Cloudformation 中的 AWS Eventbridge 规则失败
[英]Adding lambda target role to AWS Eventbridge rule in Cloudformation fails
将现有 AWS CloudWatch 警报导出到 CloudFormation 模板
[英]Export existing AWS CloudWatch alarms to CloudFormation template
AWS Cloudformation:授予Cloudwatch *调用Lambda的权限
[英]AWS Cloudformation: Give Cloudwatch * Permissions to invoke Lambda
AWS Cloudformation 角色无权对角色执行 AssumeRole
[英]AWS Cloudformation Role is not authorized to perform AssumeRole on Role
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.