如何將AWS托管策略附加到雲形成和對流層中的角色
[英]How to attach an AWS managed policy to a role in cloudformation and troposphere
問題描述
在對流層代碼中,我基本上想創建一個sns主題和一個lambda執行角色,可以將一些來自AWS的托管策略附加到該角色。 但是問題是我無法找到一種方法來僅引用托管策略的名稱。 下面是我的代碼,但是在這里我要復制並粘貼托管策略json文檔。
有更好的出路嗎?
from troposphere import FindInMap, GetAtt, Join, Output, Template, Ref, ImportValue
from troposphere.sns import Topic
from troposphere.iam import Role, Policy
t = Template()
t.set_version("2010-09-09")
sns_topic = Topic(TopicName='IngestStateTopic', title='IngestStateTopic')
t.add_resource(sns_topic)
LambdaExecutionRole = t.add_resource(
Role(
"LambdaExecutionRole",
Path="/",
Policies=[
Policy(PolicyName="CloudWatchLogsFullAccess",
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Action": ["logs:*"],
"Effect": "Allow",
"Resource": "*"
}]
}),
Policy(PolicyName="SnsReadOnlyAccess",
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Effect":
"Allow",
"Action": ["sns:GetTopicAttributes", "sns:List*"],
"Resource":
"*"
}]
}),
Policy(PolicyName="LambdaBasicExecutionRole-Test",
PolicyDocument={
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:eu-west-1:498129003450:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:eu-west-1:498129003450:log-group:/aws/lambda/lambda_layers_test:*"
]
}
]
})
],
AssumeRolePolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Action": ["sts:AssumeRole"],
"Effect": "Allow",
"Principal": {
"Service": ["lambda.amazonaws.com"]
}
}]
},
))
t.add_output(
Output(
"IngestServiceArn",
Description="ARN of the sns topic",
Value=Ref(sns_topic),
))
t.add_output(
Output(
"LambdaExcecutionRole",
Description="ARN of the lambda plocy document",
Value=GetAtt(LambdaExecutionRole, "Arn"),
))
with open('sns_lambda_role.yaml', 'w') as s:
s.write(t.to_yaml())
以下是我的雲形成yaml文件名:
AWSTemplateFormatVersion: '2010-09-09'
Outputs:
IngestServiceArn:
Description: ARN of the sns topic
Value: !Ref 'IngestStateTopic'
LambdaExcecutionRole:
Description: ARN of the lambda plocy document
Value: !GetAtt 'LambdaExecutionRole.Arn'
Resources:
IngestStateTopic:
Properties:
TopicName: IngestStateTopic
Type: AWS::SNS::Topic
LambdaExecutionRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Version: '2012-10-17'
Path: /
Policies:
- PolicyDocument:
Statement:
- Action:
- logs:*
Effect: Allow
Resource: '*'
Version: '2012-10-17'
PolicyName: CloudWatchLogsFullAccess
- PolicyDocument:
Statement:
- Action:
- sns:GetTopicAttributes
- sns:List*
Effect: Allow
Resource: '*'
Version: '2012-10-17'
PolicyName: SnsReadOnlyAccess
- PolicyDocument:
Statement:
- Action: logs:CreateLogGroup
Effect: Allow
Resource: arn:aws:logs:eu-west-1:498129003450:*
- Action:
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource:
- arn:aws:logs:eu-west-1:498129003450:log-group:/aws/lambda/lambda_layers_test:*
Version: '2012-10-17'
PolicyName: LambdaBasicExecutionRole-Test
Type: AWS::IAM::Role
2 個解決方案
解決方案1
1 2019-08-06 15:40:03
您可能需要查看允許策略定義的awacs項目。
同樣,可能您只需要使用Ref()即可獲取其名稱。
解決方案2
1 已采納 2019-08-06 18:57:33
您可以通過指定的列表為此ManagedPolicyArns的角色cloudformation資源,而不是Policies - 文檔 :
{
"Type" : "AWS::IAM::Role",
"Properties" : {
"AssumeRolePolicyDocument" : Json,
"ManagedPolicyArns" : [ String, ... ],
"MaxSessionDuration" : Integer,
"Path" : String,
"PermissionsBoundary" : String,
"Policies" : [ Policy, ... ],
"RoleName" : String
}
}
對於ManagedPolicy,CloudFormation具有單獨的資源類型-AWS :: IAM :: ManagedPolicy :
SampleManagedPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Sid: AllowAllUsersToListAccounts
Effect: Allow
Action:
- iam:ListAccountAliases
- iam:ListUsers
- iam:GetAccountSummary
Resource: "*
考試:
RootRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- !Ref awsExampleManagedPolicyParameterOne
- !Ref awsExampleManagedPolicyParameterTwo
因此,如果我們在這里談論tropops-它也具有ManagedPolicy的單獨類:
class ManagedPolicy(AWSObject):
resource_type = "AWS::IAM::ManagedPolicy"
props = {
'Description': (basestring, False),
'Groups': ([basestring], False),
'ManagedPolicyName': (basestring, False),
'Path': (iam_path, False),
'PolicyDocument': (policytypes, True),
'Roles': ([basestring], False),
'Users': ([basestring], False),
}
您可以使用Ref函數來Ref它。
如何在 python boto3 中獲取 iam 用戶的 aws 托管策略的策略文檔?
[英]How to get policy document for aws managed policy of a iam user in python boto3?
無法刪除 AWS 角色策略 - 使用 Boto3 的 NoSuchEntity
[英]Unable to delete AWS Role Policy - NoSuchEntity with Boto3
嗨,我已經編寫了一個代碼來使用對流層創建 CloudFormation 模板在運行代碼時出現語法錯誤
[英]Hi , i have written a code to create CloudFormation template using troposphere Getting Syntax error while running the code
如何自定義AWS Codestar / Cloudformation模板以創建特定的代碼構建項目?
[英]How to customize AWS Codestar / Cloudformation template to create specific codebuild project?
如何從 AWS 策略文檔中獲取操作值並將其存儲為列表?
[英]How to fetch the action value from AWS policy document and store it as list?
如何通過 AWS CDK 將基於資源的策略添加到使用 AWS SAM 創建的 Lambda function?
[英]How to add a resource based policy to a Lambda function created using AWS SAM via AWS CDK?
如何將HTTP請求中的文件附加到電子郵件? (Python / AWS Lambda)
[英]How can I attach a file from an HTTP request to an email? (Python/ AWS Lambda)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
如何使用 boto3 列出附加到角色的 AWS 托管策略
如何在 python boto3 中獲取 iam 用戶的 aws 托管策略的策略文檔?
如何為 python3 安裝對流層?
無法刪除 AWS 角色策略 - 使用 Boto3 的 NoSuchEntity
嗨,我已經編寫了一個代碼來使用對流層創建 CloudFormation 模板在運行代碼時出現語法錯誤
AWS cloudformation package 在 python
如何自定義AWS Codestar / Cloudformation模板以創建特定的代碼構建項目?
如何從 AWS 策略文檔中獲取操作值並將其存儲為列表?
如何通過 AWS CDK 將基於資源的策略添加到使用 AWS SAM 創建的 Lambda function?
如何將HTTP請求中的文件附加到電子郵件? (Python / AWS Lambda)
相關標簽