[英]How to create an IAM PolicyDocument with multiple statements using CDK Python?
我正在尝试使用 cdk 中的 python 编写包含多个语句的 IAM PolicyDocument,但我在任何地方都找不到任何示例。
这就是我在 YAML 中的内容,我正在尝试使用 python 在 CDK 中写入。
Lambda:
Type: AWS::IAM::Role
Properties:
RoleName:
Fn::Sub: LambdaRole
Policies:
- PolicyName:
Fn::Sub: LambdaPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ADPermissions
Effect: Allow
Action:
- ssm:SendCommand
- ec2:DescribeInstances
- ds:DescribeDirectories
- ssm:GetParameter
- ssm:PutParameter
- ssm:StartAutomationExecution
- dynamodb:Scan
- dynamodb:Query
- sts:AssumeRole
Resource: "*"
- Sid: SQS
Effect: Allow
Action:
- sqs:SendMessage
Resource:"*"
- Sid: CloudWatch
Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource:"*"
我基于 YAML 编写了以下内容,但它给了我错误。 对此的任何帮助都将受到高度赞赏。
RolePolicy.add_to_policy(
iam.PolicyDocument(
statements = [
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'ssm:SendCommand',
'ec2:DescribeInstances',
'ds:DescribeDirectories',
'ssm:GetParameter',
'ssm:PutParameter',
'ssm:StartAutomationExecution',
'sts:AssumeRole'
],
resources = ['*']
)
]
),
iam.PolicyDocument(
statements = [
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'sqs:SendMessage'
],
resources = ['*']
)
]
),
iam.PolicyDocument(
statements = [
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'logs:CreateLogGroup',
'logs:CreateLogStream',
'logs:PutLogEvents'
],
resources = ['*']
)
]
)
)
那个特定的 API 只接受一个语句,例如
RolePolicy.add_to_policy(
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'ssm:SendCommand',
'ec2:DescribeInstances',
'ds:DescribeDirectories',
'ssm:GetParameter',
'ssm:PutParameter',
'ssm:StartAutomationExecution',
'sts:AssumeRole'
],
resources = ['*']
)
)
因此,假设 RolePolicy 是 PolicyDocument 类型,您必须对每个策略多次调用它。
或者,您可以调查允许您一次将整个策略附加到角色的其他 API 之一: https://docs.aws.amazon.com/cdk/api/latest/python/aws_cdk.aws_iam/Role .html#aws_cdk.aws_iam.Role.attach_inline_policy或https://docs.aws.amazon.com/cdk/api/latest/python/aws_cdk.aws_iam/Role.html#aws_cdk.aws_iam.Role.add_managed_policy
这里的结构更像是:
Role.attach_inline_policy(
iam.Policy(self, 'Policy'
statements = [
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'ssm:SendCommand',
'ec2:DescribeInstances',
'ds:DescribeDirectories',
'ssm:GetParameter',
'ssm:PutParameter',
'ssm:StartAutomationExecution',
'sts:AssumeRole'
],
resources = ['*']
),
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'sqs:SendMessage'
],
resources = ['*']
),
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'logs:CreateLogGroup',
'logs:CreateLogStream',
'logs:PutLogEvents'
],
resources = ['*']
)
]
)
)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.