[英]How to use AWS CloudFormation pseudoparameter inside IAM Policy Document
我正在使用 AWS CloudFormation(基於 YAML)來部署 IAM 角色。 應該允許此角色部署其他 CloudFormation 資源,並擁有作為受信任實體部署到的 AWS 賬戶的根。 我正在嘗試使用內置偽參數AWS::AccountId提供帳戶 ID: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.html#cfn-偽參數 accountid 。
這是我按照官方文檔嘗試過的: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html (僅顯示我的 CFN 模板的resources部分) :
Resources:
IAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: ["sts:AssumeRole"]
Effect: Allow
Principal:
Service: [cloudformation.amazonaws.com]
AWS: arn:aws:iam::AWS::AccountId:root # <-- ERROR HERE !
由於 CloudFormation 堆棧中的Invalid principal (在 AWS 管理控制台中的Events下),這會導致MalformedPolicyDocument錯誤:
Invalid principal in policy: "AWS":"arn:aws:iam::AWS::AccountId:root" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument
我嘗試改變AWS Principal 值的語法:
校長的錯誤在哪里,如何糾正?
AWS CloudFormation:如何在 AWS::IAM::Policy 中引用另一個堆棧中定義的角色
[英]AWS CloudFormation: How to refer a role defined in another stack inside AWS::IAM::Policy
設置Lambda以創建不帶IAM策略的AWS CloudFormation
[英]Setting up Lambda to Create AWS CloudFormation without IAM Policy
AWS IAM 策略基於父 Cloudformation 限制對資源的訪問
[英]AWS IAM Policy restrict access to resources based on parent Cloudformation
如何使用 Terraform 創建沒有代入角色策略的 AWS IAM 角色?
[英]How To Use Terraform To Create an AWS IAM Role with No Assume Role Policy?
如何在 python boto3 中獲取 iam 用戶的 aws 托管策略的策略文檔?
[英]How to get policy document for aws managed policy of a iam user in python boto3?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.