具有自定义条件字符串的 CloudFormation IAM 策略
我正在尝试构建具有资源标签条件的 IAM 策略。我希望该标签成为 CloudFormation 模板的参数。我正在使用类似的方法,其中 pCustomTag 作为参数传递给 CloudFormation 堆栈:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "IAM Role",
"Parameters": {
"pCustomTag": {
"Type": "String",
"Default": "mycustomtag"
}
},
"Resources": {
"rEC2IAMProfile": {
"Properties": {
"InstanceProfileName": "MY_EC2_PROFILE",
"Path": "/",
"Roles": [
{
"Ref": "rIAMRole"
}
]
},
"Type": "AWS::IAM::InstanceProfile"
},
"rIAMRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "MY_EC2_ROLE",
"PermissionsBoundary": {
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:policy/ais-permissions-boundaries"
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
],
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
}
}
]
}
}
},
"rSTONITH": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "STONITH",
"Roles": [
{
"Ref": "rIAMRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": {
"Fn::Sub": "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*"
},
"Condition": {
"StringLike": {
"Fn::Join": [
":",
[
{
"Fn::Sub": "\"aws:ResourceTag/${pCustomTag}\""
},
" \"*\""
]
]
}
}
}
]
}
}
}
},
"Outputs": {
"oTestString": {
"Description": "Test string",
"Value": {
"Fn::Join": [
":",
[
{
"Fn::Sub": "\"aws:ResourceTag/${pCustomTag}\""
},
" \"*\""
]
]
}
}
}
}
但是,它会导致策略中的语法错误(rSTONITH)。 CloudFormation 的错误是这样的:
Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: abc; Proxy: null)
为了测试,我在输出部分使用相同的构造,这会产生我正在查找的字符串。
"Outputs": {
"oTestString": {
"Description": "Test string",
"Value":{
"Fn::Join": [
":", [
{ "Fn::Sub": "\"aws:ResourceTag/${pCustomTag}\"" },
" \"*\""
]
]
}
}
知道为什么它在资源部分中使用它时不起作用(对于资源“AWS::IAM::Policy”)。
I'm trying to build an IAM policy with a resource tag condition. I want the tag to be a parameter to the CloudFormation template. I am using something like this where pCustomTag is passed as a parameter to the CloudFormation stack:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "IAM Role",
"Parameters": {
"pCustomTag": {
"Type": "String",
"Default": "mycustomtag"
}
},
"Resources": {
"rEC2IAMProfile": {
"Properties": {
"InstanceProfileName": "MY_EC2_PROFILE",
"Path": "/",
"Roles": [
{
"Ref": "rIAMRole"
}
]
},
"Type": "AWS::IAM::InstanceProfile"
},
"rIAMRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "MY_EC2_ROLE",
"PermissionsBoundary": {
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:policy/ais-permissions-boundaries"
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
],
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
}
}
]
}
}
},
"rSTONITH": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "STONITH",
"Roles": [
{
"Ref": "rIAMRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": {
"Fn::Sub": "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*"
},
"Condition": {
"StringLike": {
"Fn::Join": [
":",
[
{
"Fn::Sub": "\"aws:ResourceTag/${pCustomTag}\""
},
" \"*\""
]
]
}
}
}
]
}
}
}
},
"Outputs": {
"oTestString": {
"Description": "Test string",
"Value": {
"Fn::Join": [
":",
[
{
"Fn::Sub": "\"aws:ResourceTag/${pCustomTag}\""
},
" \"*\""
]
]
}
}
}
}
However it results in syntax error in policy (rSTONITH). The error from CloudFormation is this:
Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: abc; Proxy: null)
For testing I use the same construct in the outputs section which results in the string I'm looking for.
"Outputs": {
"oTestString": {
"Description": "Test string",
"Value":{
"Fn::Join": [
":", [
{ "Fn::Sub": "\"aws:ResourceTag/${pCustomTag}\"" },
" \"*\""
]
]
}
}
Any idea why it does not work when using it in resource section (for resource "AWS::IAM::Policy").
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论