我一直在我的 cloudformation 模板中遇到回圈依賴錯誤,但不確定如何消除它。我正在創建一個用戶并將其附加IAMManagedPolicy2到用戶。該策略允許用戶承擔兩個角色,IAMRole以及IAMRole2。
IAMRole2需要為用戶定義假定權限。這可能是我在我的案例中遇到回圈依賴的原因。這是我的模板的樣子:
AWSTemplateFormatVersion: "2010-09-09"
Metadata:
Generator: "former2"
Description: ""
Resources:
IAMUser:
Type: "AWS::IAM::User"
Properties:
Path: "/"
UserName: "sysuser"
ManagedPolicyArns:
- !Ref IAMManagedPolicy2
IAMGroup:
Type: "AWS::IAM::Group"
Properties:
Path: "/"
GroupName: "Temp"
IAMManagedPolicy2:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: "UserAssumePolicy"
Path: "/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::*:role/${IAMRole}",
"arn:aws:iam::*:role/${IAMRole2}"
]
}
]
}
IAMRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
RoleName: "AddUserToGroupRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
AWS:
- !GetAtt IAMUser.Arn
Action:
- "sts:AssumeRole"
MaxSessionDuration: 3600
ManagedPolicyArns:
- !Ref IAMManagedPolicy3
Description: "Allows Adding users to group"
IAMRole2:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
RoleName: "AttachGroupPolicyRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
AWS:
- !GetAtt IAMUser.Arn
Service:
- "ec2.amazonaws.com"
Action:
- "sts:AssumeRole"
MaxSessionDuration: 3600
ManagedPolicyArns:
- !Ref IAMManagedPolicy
Description: ""
Tags:
-
Key: "event"
Value: "troopers"
IAMManagedPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: "AttachGroupPolicy"
Path: "/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:AttachGroupPolicy",
"Resource": [
"arn:aws:iam::*:group/${IAMGroup}"
]
}
]
}
IAMManagedPolicy3:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: "AddUserToGroup"
Path: "/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:AddUserToGroup",
"Resource": [
"arn:aws:iam::*:group/${IAMGroup}"
]
}
]
}
有人可以幫我指出消除回圈依賴并使模板作業的更改嗎,
uj5u.com熱心網友回復:
由于您對角色名稱(AddUserToGroupRole和AttachGroupPolicyRole)進行了硬編碼,因此您必須直接使用名稱來克服回圈依賴問題:
IAMManagedPolicy2:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: "UserAssumePolicy"
Path: "/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::*:role/AddUserToGroupRole",
"arn:aws:iam::*:role/AttachGroupPolicyRole"
]
}
]
}
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/329545.html