如何在 cloudformation 的參考參數中使用 AWS principal
[英]How to use AWS principal in reference parameter in cloudformation
問題描述
我必須在我的 cloudformation 模板上自動執行此行 "AWS": "arn:aws:iam::684821578293:user/jenkins" 但是在使用 join 時它不起作用,有人可以幫助我嗎?
工作模板在下面,您可以使用以下捕捉到參數列表
堆棧名稱:測試
CreateCodeDeployRole: false CreateECSRole: false CreateJenkinsRole: true CustomerPrefix: kfc (anyname) Environment: dt GroupName: sogetiadmin RoleName: Jenkins_Tool_Access UserName: jenkins
https://s3.amazonaws.com/linuxblogger-k8s-state/iamcreation_working.json
問題:
但是,一旦我將工作模板上的條目從“AWS”更新為“arn:aws:iam::684821578293:user/admin”到“AWS”:“arn:aws:iam::684821578293:user/jenkins”,它就不會在職的。
我嘗試加入 function 和 Jenkins 用戶,但它不起作用你可以從下面查看這個 json
https://s3.amazonaws.com/linuxblogger-k8s-state/iamcreation_not_working.json
1 個解決方案
解決方案1
1 2017-08-21 12:36:30
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "IAM groups and account-wide role configurations",
"Parameters" : {
"CustomerPrefix" : {
"Type" : "String",
"Default" : "testcust",
"Description" : "Enter Customer Prefix"
},
"Environment" : {
"Type" : "String",
"Default" : "dt",
"Description" : "Enter Environment (Input Format - d=development, t=test, a=acceptance, p=production, dt=devtest, ap=acceptanceproduction)",
"AllowedValues" : [
"d",
"t",
"a",
"p",
"dt",
"ap"
]
},
"CreateCodeDeployRole" : {
"Type" : "String",
"Default" : "true",
"Description" : "Whether a role should be created for use with AWS CodeDeploy",
"AllowedValues" : ["true", "false"],
"ConstraintDescription" : "Must be true or false."
},
"CreateECSRole" : {
"Type" : "String",
"Default" : "true",
"Description" : "Whether a role should be created for use with AWS EC2 Container Service",
"AllowedValues" : ["true", "false"],
"ConstraintDescription" : "Must be true or false."
},
"CreateJenkinsRole" : {
"Type" : "String",
"Default" : "true",
"Description" : "Whether a role should be created for use with Aws Jenkins Service",
"AllowedValues" : ["true", "false"],
"ConstraintDescription" : "Must be true or false."
},
"UserName" : {
"Type" : "String",
"Default" : "jenkins",
"Description" : "Please Provide Name of the IAM user"
},
"RoleName" : {
"Type" : "String",
"Default" : "Jenkins_Tool_Access",
"Description" : "Please Provide Name of the IAM Role"
},
"GroupName" : {
"Type" : "String",
"Default" : "sogetiadmin",
"Description" : "Please Provide Name of the IAM Role"
}
},
"Conditions" :{
"IsDev" : {
"Fn::Equals" : [ { "Ref" : "Environment" }, "dev" ]
},
"IsQet" : {
"Fn::Equals" : [ { "Ref" : "Environment" }, "qet" ]
},
"IsStg" : {
"Fn::Equals" : [ { "Ref" : "Environment" }, "stg" ]
},
"IsPrd" : {
"Fn::Equals" : [ { "Ref" : "Environment" }, "prd" ]
},
"CreateCodeDeployRole" : {
"Fn::Equals" : [ { "Ref" : "CreateCodeDeployRole" }, "true" ]
},
"CreateECSRole" : {
"Fn::Equals" : [ { "Ref" : "CreateECSRole" }, "true" ]
},
"CreateJenkinsRole" : {
"Fn::Equals" : [ { "Ref" : "CreateJenkinsRole" }, "true" ]
}
},
"Resources" : {
"AWSCodeDeployRole" : {
"Type" : "AWS::IAM::Role",
"Condition" : "CreateCodeDeployRole",
"Properties" : {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::Join": [
".",
[
"codedeploy",
{ "Ref" : "AWS::Region" },
"amazonaws.com"
]
]
}
},
"Action": "sts:AssumeRole"
}
]
},
"Policies" : [
{
"PolicyName" : "AWSCodeDeployPolicy",
"PolicyDocument" : {
"Statement": [
{
"Action": [
"autoscaling:PutLifecycleHook",
"autoscaling:DeleteLifecycleHook",
"autoscaling:RecordLifecycleActionHeartbeat",
"autoscaling:CompleteLifecycleAction",
"autoscaling:DescribeAutoscalingGroups",
"autoscaling:PutInstanceInStandby",
"autoscaling:PutInstanceInService",
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"-",
[
"arn:aws:s3:::deployments",
{ "Ref" : "CustomerPrefix" },
{ "Ref" : "Environment" },
"/artifacts/projects/*"
]
]
}
}
]
}
}
]
}
},
"JenkinsUser" : {
"Type" : "AWS::IAM::User",
"Condition" : "CreateJenkinsRole",
"Properties" : {
"UserName" : { "Ref" : "UserName" },
"ManagedPolicyArns":
[
"arn:aws:iam::aws:policy/AdministratorAccess"
]
}
},
"AWSJenkinsServiceRole" : {
"Type": "AWS::IAM::Role",
"Condition" : "CreateJenkinsRole",
"DependsOn" : "JenkinsUser",
"Properties" : {
"RoleName": { "Ref" : "RoleName" },
"AssumeRolePolicyDocument": {
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": { "Fn::Join" : [ "/", [ "arn:aws:iam::684821578293:user", { "Ref" : "UserName" } ]]},
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
},
"ManagedPolicyArns":
[
"arn:aws:iam::aws:policy/AdministratorAccess"
]
}
},
"JenkinsUserAccessKey" : {
"Type" : "AWS::IAM::AccessKey",
"Properties" : {
"UserName" : { "Ref" : "JenkinsUser" }
}
},
"ServiceAccountsGroup" : {
"Type": "AWS::IAM::Group",
"Properties" : {
"GroupName" : { "Ref" : "GroupName" }
}
},
"UserToGroupAddition" : {
"Type": "AWS::IAM::UserToGroupAddition",
"Properties" : {
"GroupName" : { "Ref" : "ServiceAccountsGroup" },
"Users" : [ { "Ref" : "UserName" } ]
}
}
},
"Outputs" : {
"JenkinsUserAccessKey" : {
"Description" : "The access key for the Jenkins user",
"Value" : { "Ref" : "JenkinsUserAccessKey" }
},
"JenkinsUserSecret" : {
"Description" : "The secret key for the Jenkins user",
"Value" : { "Fn::GetAtt" : [ "JenkinsUserAccessKey", "SecretAccessKey" ] }
}
}
}
使用方法:Sub 或:Join in "AWS::CloudFormation,:Init", file key
[英]How to use !Sub or !Join in "AWS::CloudFormation::Init", file key
AWS CloudFormation中如何使用email動態列表訂閱SNS主題?
[英]How to use email dynamic list to SNS Topic Subscription in AWS CloudFormation?
在 aws cloudformation deploy --parameter-overrides 中,如何將多個值傳遞給 List<aws::ec2::subnet::id> `參數?</aws::ec2::subnet::id>
[英]In `aws cloudformation deploy --parameter-overrides`, how to pass multiple values to `List<AWS::EC2::Subnet::ID>` parameter?
我們如何在 Cloudformation 模板中將相同的標簽用於兩個 AWS::DynamoDB::Table
[英]How we can use same Tags into two AWS::DynamoDB::Table with in Cloudformation Template
如何在 AWS CloudFormation 模板中使用參考號 function?
[英]How is the !Ref function used in an AWS CloudFormation template?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
如何在 AWS Principal 中使用通配符?
如何使用 CloudFormation 更新 AWS Glue 作業
使用方法:Sub 或:Join in "AWS::CloudFormation,:Init", file key
AWS CloudFormation中如何使用email動態列表訂閱SNS主題?
在 aws cloudformation deploy --parameter-overrides 中,如何將多個值傳遞給 List<aws::ec2::subnet::id> `參數?</aws::ec2::subnet::id>
我們如何在 Cloudformation 模板中將相同的標簽用於兩個 AWS::DynamoDB::Table
如何將“所有委托人”生成為委托人 - “AWS”:“*”
如何通過 CloudFormation 添加 AWS 托管策略
如何在 AWS CloudFormation 模板中運行 bash 腳本
如何在 AWS CloudFormation 模板中使用參考號 function?
相關標簽