使用AWS,我正在构建一个cloud formation堆栈,定义:
MyPolicy MyRole的角色堆栈将由管理员创建;一旦创建,目标是允许(从堆栈外部)一些用户假设MyRole。
我的问题:如何定义角色以附加该政策?
role properties的AWS帮助页面建议使用ManagedPolicyArns,但根据我引用MyPolicy的方式,我会遇到各种错误:
如果我使用GetAtt函数检索策略的arn,我会在模板验证时遇到错误:
"ManagedPolicyArns": [ { "Fn::GetAtt" : [ "MyPolicy", "Arn" ] } ]
模板错误:资源MyPolicy不支持Fn :: GetAtt
中的属性类型Arn
如果我使用Join函数构建策略arn,我会在角色创建过程中收到错误。
"ManagedPolicyArns": [ { "Fn::Join" : [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ":policy/", { "Ref": "MyPolicy" } ] ] } ]
ARN arn:aws:iam :: aws:policy / arn:aws:iam ::«my-account-id»:policy / MyPolicy无效。 (服务:AmazonIdentityManagement;状态代码:400;错误代码:InvalidInput;请求ID:«an-id»)
下面是我使用JSON格式的堆栈定义:
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"MyPolicy" : {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"ManagedPolicyName" : "MyPolicy",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [ "s3:*" ],
"Resource": "arn:aws:s3:::the-bucket"
}
]
}
}
},
"MyRole" : {
"Type": "AWS::IAM::Role",
"RoleName": "MyRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": {"Fn::Join" : [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } },,
"Action": [ "sts:AssumeRole" ]
}
]
},
"ManagedPolicyArns": [
{ "Fn::GetAtt" : [ "MyPolicy", "Arn" ] }
]
}
}
}