在 AWS Cloud formation 中，如何在 IAM Policy 中使用 Ref 指定两个资源？

Question

如果两个相同的 IAM 策略针对两个不同的资源，如何将它们合并为一个。其中一项资源具有 Join 和 Ref。可以在 CloudFormation 模板中将以下两个策略合并为一个吗？

- Effect: Allow
  Action:
    - "s3:DeleteObject"
    - "s3:DeleteObjectTagging"
    - "s3:GetObjectAcl"
    - "s3:GetObjectTagging"
    - "s3:PutObject"
    - "s3:PutObjectAcl"
    - "s3:PutObjectTagging"
  Resource:
    !Join
      - ''
      - - 'arn:aws:s3:::'
        - !Ref TestBucketName
        - '/*'

- Effect: Allow
  Action:
    - "s3:DeleteObject"
    - "s3:DeleteObjectTagging"
    - "s3:GetObjectAcl"
    - "s3:GetObjectTagging"
    - "s3:PutObject"
    - "s3:PutObjectAcl"
    - "s3:PutObjectTagging"
  Resource: "arn:aws:s3:::SecondTestBucket/Download/*"

Answer 1

- Effect: Allow
  Action:
    - "s3:DeleteObject"
    - "s3:DeleteObjectAcl"
    - "s3:DeleteObjectTagging"
    - "s3:GetObjectAcl"
    - "s3:GetObjectTagging"
    - "s3:PutObject"
    - "s3:PutObjectAcl"
    - "s3:PutObjectTagging"
  Resource:
    - !Join
      - ''
      - - 'arn:aws:s3:::'
        - !Ref TestBucketName
        - '/*'
    - "arn:aws:s3:::SecondTestBucket/Download/*"

Answer 2

您也可以使用 !Sub or Fn::Sub 而不是下面的 Join 以获得清晰的代码。

- Effect: Allow
  Action:
    - "s3:DeleteObject"
    - "s3:DeleteObjectAcl"
    - "s3:DeleteObjectTagging"
    - "s3:GetObjectAcl"
    - "s3:GetObjectTagging"
    - "s3:PutObject"
    - "s3:PutObjectAcl"
    - "s3:PutObjectTagging"
  Resource:
    - !Sub arn:aws:s3:::${TestBucketName}/*
    - "arn:aws:s3:::SecondTestBucket/Download/*"

在 AWS Cloud formation 中，如何在 IAM Policy 中使用 Ref 指定两个资源？

In AWS Cloud formation, How to specify two resources with Ref in IAM Policy?

yaml

amazon-s3

amazon-web-services

amazon-cloudformation

amazon-iam