计划创建一个CFT,需要托管策略的3个角色以及附加到它们的内联策略

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了计划创建一个CFT,需要托管策略的3个角色以及附加到它们的内联策略相关的知识,希望对你有一定的参考价值。

我正在尝试使用托管策略创建一个具有1.3个不同角色的CFT 2.内联策略应该添加到在CFT中创建的三个角色中。

但我不能这样做,因为这会让我误以为必须定义至少一个资源。

请帮助我实现这一目标。

{“AWSTemplateFormatVersion”:“2010-09-09”,“资源”:{

    "EMRDefaultRole": {
        "Type": "AWS::IAM::Role",
        "Properties": {
            "RoleName": "EMR_DefaultRole",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [{
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "elasticmapreduce.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }]
            },
            "ManagedPolicyArns": [
                "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole"
            ]
        }
    },
    "EMREC2DefaultRole": {
        "Type": "AWS::IAM::Role",
        "Properties": {
            "RoleName": "EMR_EC2_DefaultRole",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [{
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }]
            },
            "ManagedPolicyArns": [
                "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role"
            ]
        }
    },
    "EMRAutoScalingDefaultRole": {
        "Type": "AWS::IAM::Role",
        "Properties": {
            "RoleName": "EMR_AutoScaling_DefaultRole",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [{
                    "Effect": "Allow",
                    "Principal": {
                        "Service": [ "elasticmapreduce.amazonaws.com",
                        "application-autoscaling.amazonaws.com"]
                    },
                    "Action": "sts:AssumeRole"
                }]
            },
            "ManagedPolicyArns": [
                "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole"
            ]
        }
    },
    "EMRS3Policies": {
        "Type": "AWS::IAM::Policy",
        "Properties": {
            "PolicyName": "Moodys-IAM-EMR-S3-Access-Policy",
            "PolicyDocument": {
                "Statement": [{
                        "Effect": "Allow",
                        "Action": [
                            "s3:HeadBucket",
                            "s3:GetObject"
                        ],
                        "Resource": {
                            "Fn::Join": ["", ["arn:aws:s3:::mit-", {
                                "Ref": "AWS::AccountId"
                            }, "-emr-files/*"]]
                        }
                    }

                ]
            },
            "Roles": [{
                "Ref": "EMRDefaultRole"},
                {"Ref": "EMREC2DefaultRole"},
                {"Ref": "EMRAutoScalingDefaultRole"
            }]
        }
    }
}

}

就像我期待三个角色,其中附加了托管策略和内联策略。

答案

您在角色陈述中缺少resource属性。

"Statement": [{
    "Effect": "Allow",
    "Principal": {
        "Service": [ "elasticmapreduce.amazonaws.com",
        "application-autoscaling.amazonaws.com"]
     },
     "Action": "sts:AssumeRole"
 }]

这应该是(它适用于所有陈述)

 "Statement": [{
    "Effect": "Allow",
    "Principal": {
        "Service": [ "elasticmapreduce.amazonaws.com",
        "application-autoscaling.amazonaws.com"]
     },
     "Action": "sts:AssumeRole",
     "Resource": [
         "arn-of-your-resource-or-wildcard"
     ]
 }]

以上是关于计划创建一个CFT,需要托管策略的3个角色以及附加到它们的内联策略的主要内容,如果未能解决你的问题,请参考以下文章

创建附加到用户的 IAM 策略,限制用户使用某些操作创建自定义托管策略

Terraform:将 AWS 托管策略附加到角色的正确方法?

如何将多个预先存在的 AWS 托管角色附加到策略?

如何自动切换角色策略(Terraform)

AWS 任务角色策略的最佳实践

Terraform:附加非托管 IAM 角色