我有以下模板定義了一個不起作用的 IAM 策略:
RoleName: 'ABCRole'
AssumeRolePolicyDocument:
Statement:
- Action: ['sts:AssumeRole']
Effect: Allow
Principal:
AWS:
- 1234567890 # Some AWS account
- !If
- !And
- !Condition Condition1
- !Condition Condition2
- arn:aws:iam::11111111111111:role/ABCDE_Role # first role
- arn:aws:iam::22222222222222:role/ABCDE_Role # second role (different account number)
- !Ref AWS:NoValue
我正在努力實作這一點:當Condition1和Condition2都為真時,我將能夠附加arn:aws:iam::11111111111111:role/ABCDE_Role和arn:aws:iam::22222222222222:role/ABCDE_Role作為兩個額外的主體。否則,什么也不做——1234567890作為唯一的委托人。
請注意,arn:aws:iam::11111111111111:role/ABCDE_Role和arn:aws:iam::22222222222222:role/ABCDE_Role僅與 aws 帳戶不同,所以也許我可以用它!Sub來替換帳號?有點像:
for account in [11111111111111, 22222222222222]:
!Sub arn:aws:iam::${account}:role/ABCDE_Role
我應該如何修改上面的模板?先感謝您!
uj5u.com熱心網友回復:
我認為是因為!If條件所期望的格式,按照aws的檔案,格式為:
!If [condition_name, value_if_true, value_if_false]
如果你檢查你的模板,你有四個元素,而不是三個。
此外,偽引數是(帶雙 :):
AWS::NoValue
因此,當條件為 True 時添加您需要的兩個帳戶的可能解決方案可能是嘗試添加一個新條件,該條件將您已有的條件 1 和條件 2 與 !And 函式結合起來,如下所示:
Conditions:
Condition1: your condition
Condition2: your condition
ConditionCombined: !And [!Condition Condition1, !Condition Condition2]
Resources:
Role1:
Type: AWS::IAM::Role
Properties:
RoleName: 'ABCRole'
AssumeRolePolicyDocument:
Statement:
- Action: ['sts:AssumeRole']
Effect: Allow
Principal:
AWS:
- 1234567890 # Some AWS account
- !If
- ConditionCombined
- arn:aws:iam::11111111111111:role/ABCDE_Role # first role
- !Ref AWS::NoValue
- !If
- ConditionCombined
- arn:aws:iam::22222222222222:role/ABCDE_Role # second role (different account number)
- !Ref AWS::NoValue
轉載請註明出處,本文鏈接:https://www.uj5u.com/gongcheng/421537.html
標籤:
上一篇:如何在IAM委托人cloudformation模板映射中同時允許顯式角色ARN和通配符角色(甚至賬戶中的所有角色)?
下一篇:Route53中的NS記錄未更新