[英]Cloudformation template to create a role for SQS
我正在嘗試使用cloudformation模板創建具有嵌入式策略的角色:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"SQSRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "sqs.amazonaws.com" ]
},
"Action": [
"SQS:SendMessage",
"SQS:ReceiveMessage",
"SQS:DeleteMessage",
"SQS:GetQueueUrl"
]
} ]
},
"Path": "/"
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ {
"Ref": "SQSRole"
} ]
}
}
}
}
它給出錯誤“策略中的無效主體:“ SERVICE”:“ sqs.amazonaws.com”。
我還嘗試通過替換SQS隊列的確切URL:“ SERVICE”:“ sqs.ap-south-1.amazonaws.com/710161973367/CFI-Trace”
仍然給出相同的錯誤。 不確定要為sqs指定什么服務。
如果嘗試創建要由EC2實例承擔的IAM角色,則應改用以下方法:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"SQSRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "SqsAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"SQS:SendMessage",
"SQS:ReceiveMessage",
"SQS:DeleteMessage",
"SQS:GetQueueUrl"
],
"Resource": [
"*"
]
}
]
}
}
]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "SQSRole"
}
]
}
}
}
}
請注意,現在將擔當您IAM角色的服務是ec2.amazonaws.com
。 而且,現在僅允許EC2服務承擔您的IAM角色(通過sts:AssumeRole
)。 最后,您所有的sqs:*
操作已移至IAM角色的“ Policies
屬性中。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.