1. 首页
  2. 问答
  3. 附加政策的IAM角色

附加政策的IAM角色

2017-01-03 72 views
0

继cloudformation模板提供了第9行错误:附加政策的IAM角色

{ 
"AWSTemplateFormatVersion" : "2010-09-09", 
"Description" : "Policy to allow send receive message from SQS Queue", 
"Resources" : { 
"MyPolicy" : { 
    "Type" : "AWS::IAM::Policy", 
    "Properties" : { 
     "PolicyName" : "CFUsers", 
     "Roles": [ { "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role" } ], 
     "PolicyDocument" : { 
      "Version" : "2012-10-17", 
      "Statement": [ 
      { 
       "Sid": "Sid1482400105445", 
       "Effect": "Allow", 
       "Principal": { 
        "AWS":   "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role" 
       }, 
       "Action": [ 
        "SQS:SendMessage", 
        "SQS:ReceiveMessage", 
        "SQS:DeleteMessage", 
        "SQS:GetQueueUrl" 
       ], 
       "Resource": "arn:aws:sqs:ap-south-1:710161973367:CFI-Trace" 
      } 
      ] 
     } 
    } 
} 
}

我想角色Cognito_CFIAuth_Role有消息发送/读/删除SQS队列CFI-跟踪previleges。我如何将SQS操作权限附加到IAM角色?

来源

2017-01-03 Aman Khanna

+1

严格来说,从语法的角度来看,'[{“arn:aws:iam :: 710161973367:role/Cognito_CFIAuth_Role”}]的确是错误的,因为它是一个包含带有键但没有值的对象的数组。 '''''''不正确。 –

回答

1

使用“AWS :: IAM :: Policy”资源,您将创建一个内联策略。 http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html解释说这需要一个“AWS :: IAM :: Roles的名称”列表,我认为这是在同一个堆栈中定义的角色资源的逻辑名称。

如果要将策略附加到已经存在的角色,您应该使用ManagedPolicy类型,而不是。 http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-roles采用预先存在的角色的名称。

来源

2017-01-03 01:05:30

+0

我对策略进行了托管策略,但仍然收到相同的错误: –

+0

此外,它必须是有效的JSON。请参阅@ michael对您问题的评论。 –

0

Cloudformation型IAM ::政策是为用户和组。角色和实例配置文件适用于ec2。你已经将这两个想法混为一谈。如果你的角色在不同的CFN预定义的,那么你只使用一个实例配置文件为您的EC2实例,如果没有可以过创建它,然后裁判就

"RootInstanceProfile": { 
    "Type": "AWS::IAM::InstanceProfile", 
    "Properties": { 
     "Path": "/", 
     "Roles": [ { 
      "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role" 
     } ] 
    } 
    } 


{ 
    "AWSTemplateFormatVersion": "2010-09-09", 
    "Resources": { 
    "SQSRole": { 
     "Type": "AWS::IAM::Role", 
     "Properties": { 
     "AssumeRolePolicyDocument": { 
     "Version": "2012-10-17", 
     "Statement": [ 
      { 
      "Effect": "Allow", 
      "Principal": { 
       "Service": [ 
       "ec2.amazonaws.com" 
       ] 
      }, 
      "Action": [ 
       "sts:AssumeRole" 
      ] 
     } 
     ] 
    }, 
    "Path": "/", 
    "Policies": [ 
     { 
     "PolicyName": "root", 
     "PolicyDocument": { 
      "Version": "2012-10-17", 
      "Statement": [ 
      { 
       "Effect": "Allow", 
       "Action": [ 
       "SQS:SendMessage", 
       "SQS:ReceiveMessage", 
       "SQS:DeleteMessage", 
       "SQS:GetQueueUrl" 
       ], 
       "Resource": "arn:aws:sqs:ap-south-1:710161973367:CFI-Trace" 
      } 
      ] 
     } 
     } 
    ] 
    } 
}, 
    "RootInstanceProfile": { 
     "Type": "AWS::IAM::InstanceProfile", 
     "Properties": { 
     "Path": "/", 
     "Roles": [ 
      { 
      "Ref": "SQSRole" 
      } 
     ] 
     } 
    } 
    } 
}

IAM策略

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html

IAM角色 http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html

现在也有SQS政策 http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-policy.html

来源

2017-01-03 03:22:17 strongjz

1

首先,9号线包含了JSON语法错误,括号{}围绕你的角色字符串应该被删除:

 "Roles": [ "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role" ],

其次,AWS::IAM::PolicyRoles财产接受“名称AWS::IAM::Role s附加到此政策”,而不是全ARNs,所以你的行应该是:

 "Roles": [ "Cognito_CFIAuth_Role" ],

您还需要缺少一个右括号}在你的例子结束。

来源

2017-01-03 17:17:48 wjordan

相关问题

 相关问题