在具有资源的CFT中 - IAM策略中的“GroupNamed”引用变量组名称
GroupNamed:
Type: "AWS::IAM::Group"
Properties:
GroupName: xyz
...
Effect: Allow
Action: iam:AddUserToGroup
Resource: !Sub arn:aws:iam::${AWS::AccountId}:group/GroupNamed
如何参数化群组名称?
以下是我的尝试,但会导致错误的政策错误。
1
Resource: !Join ["", ['arn:aws:iam::',!Sub ${AWS::AccountId}, ':group/',!Ref GroupNamed]]
2
Resource: !Join ["", ['arn:aws:iam::', !Ref AWS::AccountId, ':group/', !Ref GroupNamed]]
3
Resource:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Fn::Sub: "${AWS::AccountId}"
- ":group/"
- Fn::Ref: GroupNamed
错误:模板验证错误:模板错误:遇到 不支持的函数:Fn :: Ref支持的函数是:[Fn :: Base64, Fn :: GetAtt,Fn :: GetAZs,Fn :: ImportValue,Fn :: Join,Fn :: Split, Fn :: FindInMap,Fn :: Select,Ref,Fn :: Equals,Fn :: If,Fn :: Not, Condition,Fn :: And,Fn :: Or,Fn :: Contains,Fn :: EachMemberEquals, Fn :: EachMemberIn,Fn :: ValueOf,Fn :: ValueOfAll,Fn :: RefAll,Fn :: Sub, FN :: CIDR]
答案 0 :(得分:1)
假设您将一个参数传递给您的堆栈,其名称为GroupName。
资源:!Sub arn:aws:iam :: $ {AWS :: AccountId}:group / $ {GroupName}
答案 1 :(得分:1)
AWS::IAM::Group documentation表示ARN可通过 GetAtt 获取。
例如,这会输出组的ARN:
---
AWSTemplateFormatVersion: 2010-09-09
Description: CloudFormation template for creating lab resources.
Resources:
GroupNamed:
Type: "AWS::IAM::Group"
Properties:
GroupName: xyz
Outputs:
GroupARN:
Value: !GetAtt GroupNamed.Arn
输出为:arn:aws:iam::123456789012:group/xyz
因此,你可以使用:
Resource: !GetAtt GroupNamed.Arn