创建仅 CloudFormation AWS 策略
Create a CloudFormation only AWS policy
我想在 AWS 中创建一个策略和角色,允许仅通过 CloudFormation 而不是通过控制台创建资源。
实现此目标的最佳方法是什么?
实现您想要做的事情的最简单方法是创建 CloudFormation 服务角色,并授予您的用户将此角色传递给 CloudFormation 并执行 CloudFormation 创建、更新等的能力。
我已经创建了一个 CloudFormation 模板,其中包含起点角色和组以及应该满足您的需求的策略。
CloudFormationServiceRole
:CloudFormation 使用的实际角色,有权在 AWS 中执行操作
UsersGroup
:要将您的用户添加到的组。它有权在 CloudFormation 中执行操作并传递 CloudFormationServiceRole
,仅此而已。
AWSTemplateFormatVersion: 2010-09-09
Resources:
CloudFormationServiceRole:
# This Role will actually do all of the heavy lifting and resouce
# creation
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Principal:
Service:
- cloudformation.amazonaws.com
Action:
- sts:AssumeRole
Policies:
-
PolicyName: CloudformationAccess
PolicyDocument:
# This policy defines what the users can actually do
# With Cloudformation
Version: 2012-10-17
Statement:
-
Effect: Allow
Action: "*"
Resource: "*"
UsersGroup:
# The users will use the role, but do nothing themselves
Type: AWS::IAM::Group
Properties:
Policies:
-
PolicyName: UsersCloudformationAccess
PolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Action:
- cloudformation:*
Resource: "*"
-
Effect: Allow
Action:
- iam:GetRole
- iam:PassRole
Resource: !GetAtt CloudFormationServiceRole.Arn
我想在 AWS 中创建一个策略和角色,允许仅通过 CloudFormation 而不是通过控制台创建资源。 实现此目标的最佳方法是什么?
实现您想要做的事情的最简单方法是创建 CloudFormation 服务角色,并授予您的用户将此角色传递给 CloudFormation 并执行 CloudFormation 创建、更新等的能力。
我已经创建了一个 CloudFormation 模板,其中包含起点角色和组以及应该满足您的需求的策略。
CloudFormationServiceRole
:CloudFormation 使用的实际角色,有权在 AWS 中执行操作UsersGroup
:要将您的用户添加到的组。它有权在 CloudFormation 中执行操作并传递CloudFormationServiceRole
,仅此而已。
AWSTemplateFormatVersion: 2010-09-09
Resources:
CloudFormationServiceRole:
# This Role will actually do all of the heavy lifting and resouce
# creation
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Principal:
Service:
- cloudformation.amazonaws.com
Action:
- sts:AssumeRole
Policies:
-
PolicyName: CloudformationAccess
PolicyDocument:
# This policy defines what the users can actually do
# With Cloudformation
Version: 2012-10-17
Statement:
-
Effect: Allow
Action: "*"
Resource: "*"
UsersGroup:
# The users will use the role, but do nothing themselves
Type: AWS::IAM::Group
Properties:
Policies:
-
PolicyName: UsersCloudformationAccess
PolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Action:
- cloudformation:*
Resource: "*"
-
Effect: Allow
Action:
- iam:GetRole
- iam:PassRole
Resource: !GetAtt CloudFormationServiceRole.Arn