定义 IAM 策略以引用另一个文件中的参数
Defining IAM policy to reference params in another file
我想将策略部署为资源。
我想引用另一个文件的资源属性。
如何做到这一点的一个例子是
resource.yml
Resources:
MyGroupPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- iam:ChangePassword
- iam:CreateLoginProfile
- iam:DeleteLoginProfile
- iam:GetAccountPasswordPolicy
- iam:GetAccountSummary
- iam:GetLoginProfile
- iam:UpdateLoginProfile
Effect: Allow
Resource:
- Ref: Param1
- Ref: Param2
- Ref: Param3
params.json
[
{
"ParameterKey": "Param1",
"ParameterValue": "arn:aws:iam::7777777777:user/${aws:username}"
},
{
"ParameterKey": "Param2",
"ParameterValue": "arn:aws:iam::7777777777:mfa/*"
},
{
"ParameterKey": "Param3",
"ParameterValue": "arn:aws:iam::7777777:mfa/${aws:username}"
}
]
部署命令
aws cloudformation create-stack --stack-name stack --template-body file://resource.yml --parameters
file://params.json --capabilities CAPABILITY_NAMED_IAM
错误
An error occurred (ValidationError) when calling the CreateStack operation: Parameter values specified
for a template which does not require them.
我做错了什么,我不能从另一个文件中引用 arn 吗?
您在 resource.yml 模板中缺少一个 Parameters 部分,您可以在其中定义堆栈在输入方面的预期内容。模板实际上应该是这样的:
Parameters:
Param1:
Type: String
Param2:
Type: String
Param3:
Type: String
Resources:
MyGroupPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- iam:ChangePassword
- iam:CreateLoginProfile
- iam:DeleteLoginProfile
- iam:GetAccountPasswordPolicy
- iam:GetAccountSummary
- iam:GetLoginProfile
- iam:UpdateLoginProfile
Effect: Allow
Resource:
- Ref: Param1
- Ref: Param2
- Ref: Param3
我想将策略部署为资源。
我想引用另一个文件的资源属性。
如何做到这一点的一个例子是
resource.yml
Resources:
MyGroupPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- iam:ChangePassword
- iam:CreateLoginProfile
- iam:DeleteLoginProfile
- iam:GetAccountPasswordPolicy
- iam:GetAccountSummary
- iam:GetLoginProfile
- iam:UpdateLoginProfile
Effect: Allow
Resource:
- Ref: Param1
- Ref: Param2
- Ref: Param3
params.json
[
{
"ParameterKey": "Param1",
"ParameterValue": "arn:aws:iam::7777777777:user/${aws:username}"
},
{
"ParameterKey": "Param2",
"ParameterValue": "arn:aws:iam::7777777777:mfa/*"
},
{
"ParameterKey": "Param3",
"ParameterValue": "arn:aws:iam::7777777:mfa/${aws:username}"
}
]
部署命令
aws cloudformation create-stack --stack-name stack --template-body file://resource.yml --parameters
file://params.json --capabilities CAPABILITY_NAMED_IAM
错误
An error occurred (ValidationError) when calling the CreateStack operation: Parameter values specified
for a template which does not require them.
我做错了什么,我不能从另一个文件中引用 arn 吗?
您在 resource.yml 模板中缺少一个 Parameters 部分,您可以在其中定义堆栈在输入方面的预期内容。模板实际上应该是这样的:
Parameters:
Param1:
Type: String
Param2:
Type: String
Param3:
Type: String
Resources:
MyGroupPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- iam:ChangePassword
- iam:CreateLoginProfile
- iam:DeleteLoginProfile
- iam:GetAccountPasswordPolicy
- iam:GetAccountSummary
- iam:GetLoginProfile
- iam:UpdateLoginProfile
Effect: Allow
Resource:
- Ref: Param1
- Ref: Param2
- Ref: Param3