使用 MalformedPolicy 在 CDK 错误中创建托管策略
Posted
技术标签:
【中文标题】使用 MalformedPolicy 在 CDK 错误中创建托管策略【英文标题】:Creating Managed Policy in CDK errors with MalformedPolicy 【发布时间】:2022-01-20 19:45:12 【问题描述】:当我尝试部署一个看似简单的 CDK 堆栈时,它失败并出现一个奇怪的错误。当我在不同的文件中创建不同的 iam.ManagedPolicy 时,我没有得到同样的行为,并且该文件的策略要复杂得多,包含多个操作等。我做错了什么?
import aws_cdk.core as core
from aws_cdk import aws_iam as iam
from constructs import Construct
from master_payer import ( env, myenv )
class FromStack(core.Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
#myenv['pma'] = an account ID (12 digits)
#env = 'dev'
rolename = f"arn:aws:iam:myenv['pma']:role/CrossAccountenv.capitalize()MpaAdminRole"
mpname = f"env.capitalize()MpaAdminPolicy"
pol = iam.ManagedPolicy(self, mpname, managed_policy_name = mpname,
document = iam.PolicyDocument(statements= [
iam.PolicyStatement(actions=["sts:AssumeRole"], effect=iam.Effect.ALLOW, resources=[rolename])
]))
grp = iam.Group(self, f"env.capitalize()MpaAdminGroup", managed_policies=[pol])
cdk deploy 输出:
FromStack: deploying...
FromStack: creating CloudFormation changeset...
2:19:52 AM | CREATE_FAILED | AWS::IAM::ManagedPolicy | DevMpaAdminPolicyREDACTED
The policy failed legacy parsing (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: REDACTED-GUID; Proxy: null)
new ManagedPolicy (/tmp/jsii-kernel-EfRyKw/node_modules/@aws-cdk/aws-iam/lib/managed-policy.js:39:26)
\_ /tmp/tmpxl5zxf8k/lib/program.js:8432:58
\_ Kernel._wrapSandboxCode (/tmp/tmpxl5zxf8k/lib/program.js:8860:24)
\_ Kernel._create (/tmp/tmpxl5zxf8k/lib/program.js:8432:34)
\_ Kernel.create (/tmp/tmpxl5zxf8k/lib/program.js:8173:29)
\_ KernelHost.processRequest (/tmp/tmpxl5zxf8k/lib/program.js:9757:36)
\_ KernelHost.run (/tmp/tmpxl5zxf8k/lib/program.js:9720:22)
\_ Immediate._onImmediate (/tmp/tmpxl5zxf8k/lib/program.js:9721:46)
\_ processImmediate (node:internal/timers:464:21)
❌ FromStack failed: Error: The stack named FromStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE
at Object.waitForStackDeploy (/usr/local/lib/node_modules/aws-cdk/lib/api/util/cloudformation.ts:307:11)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at prepareAndExecuteChangeSet (/usr/local/lib/node_modules/aws-cdk/lib/api/deploy-stack.ts:351:26)
at CdkToolkit.deploy (/usr/local/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:194:24)
at initCommandLine (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:267:9)
The stack named FromStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE
还有cdk synth 的输出,cfn-lint 很满意(没有警告、错误或信息违规):
"Resources":
"DevMpaAdminPolicyREDACTED":
"Type": "AWS::IAM::ManagedPolicy",
"Properties":
"PolicyDocument":
"Statement": [
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam:REDACTED-ACCOUNT-ID:role/CrossAccountDevMpaAdminRole"
],
"Version": "2012-10-17"
,
"Description": "",
"ManagedPolicyName": "DevMpaAdminPolicy",
"Path": "/"
,
"Metadata":
"aws:cdk:path": "FromStack/DevMpaAdminPolicy/Resource"
,
"DevMpaAdminGroupREDACTED":
"Type": "AWS::IAM::Group",
"Properties":
"ManagedPolicyArns": [
"Ref": "DevMpaAdminPolicyREDACTED"
]
,
"Metadata":
"aws:cdk:path": "FromStack/DevMpaAdminGroup/Resource"
,
"CDKMetadata":
"Type": "AWS::CDK::Metadata",
"Properties":
"Analytics": "v2:deflate64:REDACTED-B64"
,
"Metadata":
"aws:cdk:path": "FromStack/CDKMetadata/Default"
环境规格
$ cdk --version
2.2.0 (build 4f5c27c)
$ cat /etc/redhat-release
Red Hat Enterprise Linux releease 8.5 (Ootpa)
$ python --version
Python 3.6.8
$ node --version
v16.8.0
【问题讨论】:
【参考方案1】:角色 ARN rolename 不正确;我在iam 之后缺少了一个冒号。所以它是iam:: 而不是iam:。我想我从 Internet 上的某个(错误)示例中复制了单个冒号。嘎……
【讨论】:
以上是关于使用 MalformedPolicy 在 CDK 错误中创建托管策略的主要内容,如果未能解决你的问题,请参考以下文章
为啥我收到以下错误? “放置 S3 策略时出错:MalformedPolicy:策略的操作无效”