我正在创建一个带有角色的ec2实例,该角色提供对kinesis流和Dynamodb偏移表的访问 . 我正在使用aws cloudformation .
Problem I'm having is while creating the Streaming Access IAM Role itself.
那么,我将有以下结构,
has
StreamingAccessRole ----------> RolePolicy1(kinesis:*), RolePolicy2(dynamodb:*)
用于创建具有两个策略的AWS IAM角色的模板,一个用于kinesis,另一个用于dynamodb:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"teamIdentifier": {
"Type": "String",
"Default": "a28",
"Description": "Identifier for the team"
}
},
"Resources": {
"StreamingAccessRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/a28/",
"Policies": [
{
"PolicyName": "Stream-ConsumerOffset-RW-AccessPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "kinesis:*",
"Resource": "arn:aws:kinesis:us-west-2:*:stream/a28-*"
},
{
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:us-west-2:*:table/a28-*"
}
]
}
}
]
}
}
}
}
它创建了访问角色,但没有角色策略 .
$ aws iam get-role --role-name a28-streaming-access-role-st-StreamingAccessRole-14QHMTIOIRN5X --region us-west-2 --profile aws-federated
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}
]
},
"RoleId": "AROAIFD6X2CJXTKLVQNLE",
"CreateDate": "2017-04-07T18:54:59Z",
"RoleName": "a28-streaming-access-role-st-StreamingAccessRole-14QHMTIOIRN5X",
"Path": "/a28/",
"Arn": "arn:aws:iam::500238854089:role/a28/a28-streaming-access-role-st-StreamingAccessRole-14QHMTIOIRN5X"
}
}
列出角色策略
$ aws iam list-role-policies --role-name a28-streaming-access-role-st-StreamingAccessRole-14QHMTIOIRN5X --region us-west-2 --profile aws-federated
{
"PolicyNames": []
}
这意味着它甚至没有制定任何政策,
aws iam list-policies --region us-west-2 --profile aws-federated | grep Stream-ConsumerOffset-RW-AccessPolicy
但 if I supplied only kinesis: statement in above example* ,它会创建一个策略,但不会单独使用 dynamodb:*
.
所以,我的问题是 how am supposed to provide multiple RolePolicies using one cloudformation AWS::IAM::Role template ,还是这个特定于dynamodb?
3 回答
在角色中创建策略时会出现间歇性竞争情况 . 使用AWS :: IAM :: Policy单独创建策略,并将Roles属性设置为Role . 问题将消失 .
你的模板对我来说非常好 .
我运行了你的模板然后:
列出角色策略:
该策略附加为 inline policy ,因此不会出现在
list-policies
中 . 而是使用get-role-policy
来查看它:原因可能是竞赛条件已经由Tim Bassett在_2718371中回答,我只是想添加有效的最终解决方案,以及如何将AWS::IAM::Policy添加到cloudformation .