AWS - 根据 CF 模板中的映射查找分配 IAM 配置文件
AWS - Assign an IAM profile based on a Mapping lookup in CF template
在我的 Cloud Formation 模板中,我有针对不同环境的 IAM 映射:
Mappings:
EnvironmentToIAMInstanceProfileARN:
dev:
Profile: [ "arn:aws:iam::0000000000:role/AnInstanceProfile" ]
test:
Profile: [ "arn:aws:iam::0000000001:role/AppServerInstanceProfile",
"arn:aws:iam::0000000001:role/AppProvisioningRole"]
我正在创建 S3 存储桶并需要向主体提供 IAM 配置文件:
AppS3BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref S3NameParam
PolicyDocument:
Statement:
- Sid: 'Restrict access to the IAM Instance ARN'
Effect: Allow
Principal: '*' # !FindInMap [EnvironmentToIAMInstanceProfileARN, !Ref 'EnvType', Profile]
Action:
- 's3:GetBucketAcl'
- 's3:GetBucketLocation'
- 's3:GetObject'
- 's3:ListBucket'
- 's3:PutObject'
Resource:
- !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3NameParam
- ''
- !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3NameParam
- /*
如果我将 '*' 分配给 Prinicpal,它就可以工作,但是我正在尝试查找映射:
Principal: !FindInMap [EnvironmentToIAMInstanceProfileARN, !Ref 'EnvType', Profile]
这不起作用并导致错误:
Invalid bucket policy syntax. (Service: Amazon S3; Status Code: 400;
Error Code: MalformedPolicy;
有谁知道我该怎么做,或者为什么会失败?
ps EnvType 参数确实存在:
Parameters:
EnvType:
Description: Environment Name
Default: test
Type: String
AllowedValues: [dev, test, prod]
根据这篇文章,语法需要有服务。
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
JSON:
"Principal": {
"Service": [
"elasticmapreduce.amazonaws.com",
"datapipeline.amazonaws.com"
]
但是,根据其他一些文档,我得出了它的 AWS 而不是服务:
JSON:
"Principal": {
"AWS": [
"elasticmapreduce.amazonaws.com",
"datapipeline.amazonaws.com"
]
YAML 中的解决方案:
Principal:
AWS:
!FindInMap [EnvironmentToIAMInstanceProfileARN, !Ref 'EnvType', Profile]
在我的 Cloud Formation 模板中,我有针对不同环境的 IAM 映射:
Mappings:
EnvironmentToIAMInstanceProfileARN:
dev:
Profile: [ "arn:aws:iam::0000000000:role/AnInstanceProfile" ]
test:
Profile: [ "arn:aws:iam::0000000001:role/AppServerInstanceProfile",
"arn:aws:iam::0000000001:role/AppProvisioningRole"]
我正在创建 S3 存储桶并需要向主体提供 IAM 配置文件:
AppS3BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref S3NameParam
PolicyDocument:
Statement:
- Sid: 'Restrict access to the IAM Instance ARN'
Effect: Allow
Principal: '*' # !FindInMap [EnvironmentToIAMInstanceProfileARN, !Ref 'EnvType', Profile]
Action:
- 's3:GetBucketAcl'
- 's3:GetBucketLocation'
- 's3:GetObject'
- 's3:ListBucket'
- 's3:PutObject'
Resource:
- !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3NameParam
- ''
- !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3NameParam
- /*
如果我将 '*' 分配给 Prinicpal,它就可以工作,但是我正在尝试查找映射:
Principal: !FindInMap [EnvironmentToIAMInstanceProfileARN, !Ref 'EnvType', Profile]
这不起作用并导致错误:
Invalid bucket policy syntax. (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy;
有谁知道我该怎么做,或者为什么会失败?
ps EnvType 参数确实存在:
Parameters:
EnvType:
Description: Environment Name
Default: test
Type: String
AllowedValues: [dev, test, prod]
根据这篇文章,语法需要有服务。 https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
JSON:
"Principal": {
"Service": [
"elasticmapreduce.amazonaws.com",
"datapipeline.amazonaws.com"
]
但是,根据其他一些文档,我得出了它的 AWS 而不是服务:
JSON:
"Principal": {
"AWS": [
"elasticmapreduce.amazonaws.com",
"datapipeline.amazonaws.com"
]
YAML 中的解决方案:
Principal:
AWS:
!FindInMap [EnvironmentToIAMInstanceProfileARN, !Ref 'EnvType', Profile]