CDK Cloud9-如何将预构建的实例配置文件附加到Cloud9实例IAM中的CDK中的角色?
我通过CDK创建了Cloud9实例和VPC环境。另外,有了角色权限和实例配置文件,我如何也通过CDK附加它?
目前,在ec2envorments中,如果我使用云形式,在ec2environment中似乎也
无法自动实现IAM角色,那么我认为这尚不可用吗?
都可以使用一个实例配置文件
我知道我可以使用自定义资源或创建lambda来实现这一目标,但是认为使用实例配置文件我的代码:
const c9IamRole = new iam.Role(this, 'C9IamRole', {
roleName: 'cloud9-admin-access-role',
assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
managedPolicies: [
iam.ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess'),
]
});
const c9InstanceProfile = new iam.CfnInstanceProfile(this, 'C9InstanceProfile', {
roles: [c9IamRole.roleName],
});
// create a cloud9 ec2 environment in a new VPC
const vpc = new ec2.Vpc(this, 'VPC', { maxAzs: 3 });
const c9Env = new cloud9.Ec2Environment(this, 'Cloud9Env', {
vpc,
instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MICRO),
});
我想连接实例配置文件(在创建的情况下, : Cloud9 EC2实例页面)
I created cloud9 instance and vpc environment via cdk. Also with role permissions and instance profile, how do i attach that at the end via cdk too?
Currently there seem to be no in built parameters about setting iam role in Ec2Environment
Can't achieve this automatically too if i use CloudFormation, so i am thinking this is not available yet?
I know i can use custom resource or create a lambda to achieve that, but was thinking it's just a bit too much to just to use to attach an instance profile
My code:
const c9IamRole = new iam.Role(this, 'C9IamRole', {
roleName: 'cloud9-admin-access-role',
assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
managedPolicies: [
iam.ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess'),
]
});
const c9InstanceProfile = new iam.CfnInstanceProfile(this, 'C9InstanceProfile', {
roles: [c9IamRole.roleName],
});
// create a cloud9 ec2 environment in a new VPC
const vpc = new ec2.Vpc(this, 'VPC', { maxAzs: 3 });
const c9Env = new cloud9.Ec2Environment(this, 'Cloud9Env', {
vpc,
instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MICRO),
});
IAM role that i want to attach the instance profile (at the created cloud9 ec2 instance page)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
使用CFN前缀方法的任何内容都是L1构建体。它们没有必要的钩子将它们自动应用于其他构造(L2和L3-更高级别的对象) - 它们是裸露的骨头,基本上是从代码到CFN模板片段的翻译。
如果IAM.CFNINSTANCEPROFILE没有L2或L3版本(在此答案时似乎并不是这样,但是CDK团队始终正在更新),则您必须使用其他CFN方法手动将其连接。
另外,Cloud9库(从本文开始)仍然是实验性的,这很好地表明它不会拥有所需的所有内容 - 它似乎没有任何属性来扮演角色。您可能可以手动(再次使用CFN逃生舱口方法)附加角色。
您可以尝试将角色应用于用户/组,并授予他们访问Cloud9的权限,而不是将角色附加到Cloud9并将津贴赋予各种身份 - 使用当前CDK构造可能会更容易。
Anything using a Cfn prefixed method is an L1 construct. They do not have the hooks necessary to automatically apply them to other constructs (l2 and l3 - the higher level objects) - they are bare bones, just basically a translation from your code to cfn template snippet.
if iam.CfnInstanceProfile does not have a l2 or l3 version (as of this answer it does not seem to, but the CDK team is always updating) then you'll have to manually attach it using other cfn methods.
Also, the cloud9 library is (as of this writing) still Experimental, which is a good indication that it wont have all the things it needs - It does not seem to have any property for attaching a role. You might be able to manually (again using cfn escape hatch methods) attach a role.
You might try instead applying the roles to a User/Group and giving them permission to access the cloud9, rather than attaching the role to cloud9 and give allowance to various Identities - it may be easier with current CDK constructs.