[英]Using AWS::Region in Policy Resources
我正在嘗試根據當前的雲形成堆棧區域動態更改 s3 資源名稱。 Cloudformation 堆棧更新沒有任何錯誤。 難道我做錯了什么? 我期待將 {AWS::Region} 的策略解析為 us-east-1。
Version: 2012-10-17
Statement:
- Sid: RestrictS3Access
Effect: Allow
Action:
- 's3:GetObject'
Resource:
- !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${cognito-identity.amazonaws.com:sub}"
- !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${cognito-identity.amazonaws.com:sub}/*"
我期待看到如下政策。 我正在檢查來自 aws 控制台的結果。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::dnsa-us-east-1/${cognito-identity.amazonaws.com:sub}",
"arn:aws:s3:::dnsa-us-east-1/${cognito-identity.amazonaws.com:sub}/*"
],
"Effect": "Allow",
"Sid": "RestrictS3Access"
}
如果您希望${cognito-identity.amazonaws.com:sub}保持不變,則需要使用${!}對其進行轉義。
Version: 2012-10-17
Statement:
- Sid: RestrictS3Access
Effect: Allow
Action:
- 's3:GetObject'
Resource:
- !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${!cognito-identity.amazonaws.com:sub}"
- !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${!cognito-identity.amazonaws.com:sub}/*"
AWS 限制在一個區域創建所有資源而在其他區域只讀的策略
[英]AWS policy to restrict all resources creation in one region and readonly in other regions
是否可以使用AWS假設角色從帳戶中的不同區域訪問AWS資源
[英]Is it possible to access aws resources from different region across accounts using aws assume-role
如何使用同一 aws 帳戶中的堆棧集將所有資源部署到另一個區域?
[英]How to deploy all resources to another region using stack-sets in same aws account?
如何為 AWS CloudFormation 堆棧和資源實施特定於區域的配置
[英]How to implement region specific configuration for AWS CloudFormation stack and resources
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.