使用cloudformation创建aws IAM角色不会创建RolePolicies-Java 学习之路

我正在创建一个带有角色的ec2实例，该角色提供对kinesis流和Dynamodb偏移表的访问 . 我正在使用aws cloudformation .

Problem I'm having is while creating the Streaming Access IAM Role itself.

那么，我将有以下结构，

has
StreamingAccessRole ----------> RolePolicy1(kinesis:*), RolePolicy2(dynamodb:*)

用于创建具有两个策略的AWS IAM角色的模板，一个用于kinesis，另一个用于dynamodb：

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Parameters": {
    "teamIdentifier": {
      "Type": "String",
      "Default": "a28",
      "Description": "Identifier for the team"
    }
  },
  "Resources": {
    "StreamingAccessRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "ec2.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/a28/",
        "Policies": [
          {
            "PolicyName": "Stream-ConsumerOffset-RW-AccessPolicy",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": "kinesis:*",
                  "Resource": "arn:aws:kinesis:us-west-2:*:stream/a28-*"
                },
                {
                  "Effect": "Allow",
                  "Action": "dynamodb:*",
                  "Resource": "arn:aws:dynamodb:us-west-2:*:table/a28-*"
                }
              ]
            }
          }
        ]
      }
    }
  }
}

它创建了访问角色，但没有角色策略 .

$ aws iam get-role --role-name a28-streaming-access-role-st-StreamingAccessRole-14QHMTIOIRN5X --region us-west-2 --profile aws-federated
{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17", 
            "Statement": [
                {
                    "Action": "sts:AssumeRole", 
                    "Effect": "Allow", 
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    }
                }
            ]
        }, 
        "RoleId": "AROAIFD6X2CJXTKLVQNLE", 
        "CreateDate": "2017-04-07T18:54:59Z", 
        "RoleName": "a28-streaming-access-role-st-StreamingAccessRole-14QHMTIOIRN5X", 
        "Path": "/a28/", 
        "Arn": "arn:aws:iam::500238854089:role/a28/a28-streaming-access-role-st-StreamingAccessRole-14QHMTIOIRN5X"
    }
}

列出角色策略

$ aws iam list-role-policies --role-name a28-streaming-access-role-st-StreamingAccessRole-14QHMTIOIRN5X --region us-west-2 --profile aws-federated
{
    "PolicyNames": []
}

这意味着它甚至没有制定任何政策，

aws iam list-policies --region us-west-2 --profile aws-federated | grep Stream-ConsumerOffset-RW-AccessPolicy

但 if I supplied only kinesis: statement in above example* ，它会创建一个策略，但不会单独使用 dynamodb:* .

no policies created
所以，我的问题是 how am supposed to provide multiple RolePolicies using one cloudformation AWS::IAM::Role template ，还是这个特定于dynamodb？

3 回答

0

在角色中创建策略时会出现间歇性竞争情况 . 使用AWS :: IAM :: Policy单独创建策略，并将Roles属性设置为Role . 问题将消失 .

回复于 2024-05-01T11:43:16+08:00

你的模板对我来说非常好 .

我运行了你的模板然后：

$ aws iam get-role --role-name stack1-StreamingAccessRole-1KDUTVG1OLLQM
{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17", 
            "Statement": [
                {
                    "Action": "sts:AssumeRole", 
                    "Effect": "Allow", 
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    }
                }
            ]
        }, 
        "RoleId": "AROAJADV75HTIM6C62YXQ", 
        "CreateDate": "2017-04-08T22:22:21Z", 
        "RoleName": "stack1-StreamingAccessRole-1KDUTVG1OLLQM", 
        "Path": "/a28/", 
        "Arn": "arn:aws:iam::123456789012:role/a28/stack1-StreamingAccessRole-1KDUTVG1OLLQM"
    }
}

列出角色策略：

$ aws iam list-role-policies --role-name stack1-StreamingAccessRole-1KDUTVG1OLLQM
{
    "PolicyNames": [
        "Stream-ConsumerOffset-RW-AccessPolicy"
    ]
}

该策略附加为 inline policy ，因此不会出现在 list-policies 中 . 而是使用 get-role-policy 来查看它：

$ aws iam get-role-policy --role-name stack1-StreamingAccessRole-1KDUTVG1OLLQM --policy-name Stream-ConsumerOffset-RW-AccessPolicy
{
    "RoleName": "stack1-StreamingAccessRole-1KDUTVG1OLLQM", 
    "PolicyDocument": {
        "Version": "2012-10-17", 
        "Statement": [
            {
                "Action": "kinesis:*", 
                "Resource": "arn:aws:kinesis:us-west-2:*:stream/a28-*", 
                "Effect": "Allow"
            }, 
            {
                "Action": "dynamodb:*", 
                "Resource": "arn:aws:dynamodb:us-west-2:*:table/a28-*", 
                "Effect": "Allow"
            }
        ]
    }, 
    "PolicyName": "Stream-ConsumerOffset-RW-AccessPolicy"
}

回复于 2024-05-01T11:43:16+08:00

原因可能是竞赛条件已经由Tim Bassett在_2718371中回答，我只是想添加有效的最终解决方案，以及如何将AWS::IAM::Policy添加到cloudformation .

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Some Streaming api devops",
  "Parameters": {
    "environment": {
      "Type": "String",
      "Default": "staging",
      "Description": "environment"
    }
  },
  "Resources": {
    "StreamingAccessRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "RoleName": "StreamingAccessRole",
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "ec2.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/a28/"
      }
    },
    "StreamConsumerOffsetRWAccessPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "cloudwatch:*"
              ],
              "Resource": [
                "*"
              ]
            },
            {
              "Effect": "Allow",
              "Action": "kinesis:*",
              "Resource": "arn:aws:kinesis:us-west-2:051620159240:stream/a28-*"
            },
            {
              "Effect": "Allow",
              "Action": [
                "dynamodb:BatchGetItem",
                "dynamodb:BatchWriteItem",
                "dynamodb:CreateTable",
                "dynamodb:DeleteItem",
                "dynamodb:DeleteTable",
                "dynamodb:DescribeLimits",
                "dynamodb:DescribeReservedCapacity",
                "dynamodb:DescribeReservedCapacityOfferings",
                "dynamodb:DescribeStream",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:GetRecords",
                "dynamodb:GetShardIterator",
                "dynamodb:ListStreams",
                "dynamodb:ListTables",
                "dynamodb:PutItem",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:UpdateItem",
                "dynamodb:UpdateTable"
              ],
              "Resource": "arn:aws:dynamodb:us-west-2:051620159240:table/a28-*"
            },
            {
              "Action": [
                "sns:*Permission",
                "sns:Create*",
                "sns:Delete*",
                "sns:Publish",
                "sns:ReceiveMessage",
                "sns:Set*"
              ],
              "Resource": [
                "arn:aws:sns:us-west-2:051620159240:a28-*"
              ],
              "Effect": "Allow"
            }
          ]
        },
        "PolicyName": "StreamConsumerOffsetRWAccessPolicy",
        "Roles": [
          {
            "Ref": "StreamingAccessRole"
          }
        ]
      }
    }
  }
}

回复于 2024-05-01T11:43:16+08:00

使用cloudformation创建aws IAM角色不会创建RolePolicies

3 回答

相关问题