1. 首頁
  2. 問答
  3. 附加政策的IAM角色

附加政策的IAM角色

2017-01-03 106 views
0

繼cloudformation模板提供了第9行錯誤:附加政策的IAM角色

{ 
"AWSTemplateFormatVersion" : "2010-09-09", 
"Description" : "Policy to allow send receive message from SQS Queue", 
"Resources" : { 
"MyPolicy" : { 
    "Type" : "AWS::IAM::Policy", 
    "Properties" : { 
     "PolicyName" : "CFUsers", 
     "Roles": [ { "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role" } ], 
     "PolicyDocument" : { 
      "Version" : "2012-10-17", 
      "Statement": [ 
      { 
       "Sid": "Sid1482400105445", 
       "Effect": "Allow", 
       "Principal": { 
        "AWS":   "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role" 
       }, 
       "Action": [ 
        "SQS:SendMessage", 
        "SQS:ReceiveMessage", 
        "SQS:DeleteMessage", 
        "SQS:GetQueueUrl" 
       ], 
       "Resource": "arn:aws:sqs:ap-south-1:710161973367:CFI-Trace" 
      } 
      ] 
     } 
    } 
} 
}

我想角色Cognito_CFIAuth_Role有消息發送/讀/刪除SQS隊列CFI-跟蹤previleges。我如何將SQS操作權限附加到IAM角色?

來源

2017-01-03 Aman Khanna

+1

嚴格來說,從語法的角度來看,'[{「arn:aws:iam :: 710161973367:role/Cognito_CFIAuth_Role」}]的確是錯誤的,因爲它是一個包含帶有鍵但沒有值的對象的數組。 '''''''不正確。 –

回答

1

使用「AWS :: IAM :: Policy」資源,您將創建一個內聯策略。 http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html解釋說這需要一個「AWS :: IAM :: Roles的名稱」列表,我認爲這是在同一個堆棧中定義的角色資源的邏輯名稱。

如果要將策略附加到已經存在的角色,您應該使用ManagedPolicy類型,而不是。 http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-roles採用預先存在的角色的名稱。

來源

2017-01-03 01:05:30

+0

我對策略進行了託管策略,但仍然收到相同的錯誤: –

+0

此外,它必須是有效的JSON。請參閱@ michael對您問題的評論。 –

0

Cloudformation型IAM ::政策是爲用戶和組。角色和實例配置文件適用於ec2。你已經將這兩個想法混爲一談。如果你的角色在不同的CFN預定義的,那麼你只使用一個實例配置文件爲您的EC2實例,如果沒有可以過創建它,然後裁判就

"RootInstanceProfile": { 
    "Type": "AWS::IAM::InstanceProfile", 
    "Properties": { 
     "Path": "/", 
     "Roles": [ { 
      "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role" 
     } ] 
    } 
    } 


{ 
    "AWSTemplateFormatVersion": "2010-09-09", 
    "Resources": { 
    "SQSRole": { 
     "Type": "AWS::IAM::Role", 
     "Properties": { 
     "AssumeRolePolicyDocument": { 
     "Version": "2012-10-17", 
     "Statement": [ 
      { 
      "Effect": "Allow", 
      "Principal": { 
       "Service": [ 
       "ec2.amazonaws.com" 
       ] 
      }, 
      "Action": [ 
       "sts:AssumeRole" 
      ] 
     } 
     ] 
    }, 
    "Path": "/", 
    "Policies": [ 
     { 
     "PolicyName": "root", 
     "PolicyDocument": { 
      "Version": "2012-10-17", 
      "Statement": [ 
      { 
       "Effect": "Allow", 
       "Action": [ 
       "SQS:SendMessage", 
       "SQS:ReceiveMessage", 
       "SQS:DeleteMessage", 
       "SQS:GetQueueUrl" 
       ], 
       "Resource": "arn:aws:sqs:ap-south-1:710161973367:CFI-Trace" 
      } 
      ] 
     } 
     } 
    ] 
    } 
}, 
    "RootInstanceProfile": { 
     "Type": "AWS::IAM::InstanceProfile", 
     "Properties": { 
     "Path": "/", 
     "Roles": [ 
      { 
      "Ref": "SQSRole" 
      } 
     ] 
     } 
    } 
    } 
}

IAM策略

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html

IAM角色 http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html

現在也有SQS政策 http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-policy.html

來源

2017-01-03 03:22:17 strongjz

1

首先,9號線包含了JSON語法錯誤,括號{}圍繞你的角色字符串應該被刪除:

 "Roles": [ "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role" ],

其次,AWS::IAM::PolicyRoles財產接受「名稱AWS::IAM::Role s附加到此政策」,而不是全ARNs,所以你的行應該是:

 "Roles": [ "Cognito_CFIAuth_Role" ],

您還需要缺少一個右括號}在你的例子結束。

來源

2017-01-03 17:17:48 wjordan

相關問題

 相關問題