使用 MalformedPolicy 在 CDK 错误中创建托管策略

Posted

技术标签:

【中文标题】使用 MalformedPolicy 在 CDK 错误中创建托管策略【英文标题】:Creating Managed Policy in CDK errors with MalformedPolicy 【发布时间】:2022-01-20 19:45:12 【问题描述】:

当我尝试部署一个看似简单的 CDK 堆栈时,它失败并出现一个奇怪的错误。当我在不同的文件中创建不同的 iam.ManagedPolicy 时,我没有得到同样的行为,并且该文件的策略要复杂得多,包含多个操作等。我做错了什么?

import aws_cdk.core as core
from aws_cdk import aws_iam as iam
from constructs import Construct
from master_payer import ( env, myenv )

class FromStack(core.Stack):

    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        #myenv['pma'] = an account ID (12 digits)
        #env = 'dev'
        rolename = f"arn:aws:iam:myenv['pma']:role/CrossAccountenv.capitalize()MpaAdminRole"
        mpname = f"env.capitalize()MpaAdminPolicy"
        pol = iam.ManagedPolicy(self, mpname, managed_policy_name = mpname, 
            document = iam.PolicyDocument(statements= [
            iam.PolicyStatement(actions=["sts:AssumeRole"], effect=iam.Effect.ALLOW, resources=[rolename])
        ]))
        grp = iam.Group(self, f"env.capitalize()MpaAdminGroup", managed_policies=[pol])

cdk deploy 输出:

FromStack: deploying...
FromStack: creating CloudFormation changeset...
2:19:52 AM | CREATE_FAILED        | AWS::IAM::ManagedPolicy | DevMpaAdminPolicyREDACTED
The policy failed legacy parsing (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: REDACTED-GUID; Proxy: null)

        new ManagedPolicy (/tmp/jsii-kernel-EfRyKw/node_modules/@aws-cdk/aws-iam/lib/managed-policy.js:39:26)
        \_ /tmp/tmpxl5zxf8k/lib/program.js:8432:58
        \_ Kernel._wrapSandboxCode (/tmp/tmpxl5zxf8k/lib/program.js:8860:24)
        \_ Kernel._create (/tmp/tmpxl5zxf8k/lib/program.js:8432:34)
        \_ Kernel.create (/tmp/tmpxl5zxf8k/lib/program.js:8173:29)
        \_ KernelHost.processRequest (/tmp/tmpxl5zxf8k/lib/program.js:9757:36)
        \_ KernelHost.run (/tmp/tmpxl5zxf8k/lib/program.js:9720:22)
        \_ Immediate._onImmediate (/tmp/tmpxl5zxf8k/lib/program.js:9721:46)
        \_ processImmediate (node:internal/timers:464:21)


 ❌  FromStack failed: Error: The stack named FromStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE
    at Object.waitForStackDeploy (/usr/local/lib/node_modules/aws-cdk/lib/api/util/cloudformation.ts:307:11)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at prepareAndExecuteChangeSet (/usr/local/lib/node_modules/aws-cdk/lib/api/deploy-stack.ts:351:26)
    at CdkToolkit.deploy (/usr/local/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:194:24)
    at initCommandLine (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:267:9)
The stack named FromStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE


还有cdk synth 的输出,cfn-lint 很满意(没有警告、错误或信息违规):


  "Resources": 
    "DevMpaAdminPolicyREDACTED": 
      "Type": "AWS::IAM::ManagedPolicy",
      "Properties": 
        "PolicyDocument": 
          "Statement": [
            
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Resource": "arn:aws:iam:REDACTED-ACCOUNT-ID:role/CrossAccountDevMpaAdminRole"
            
          ],
          "Version": "2012-10-17"
        ,
        "Description": "",
        "ManagedPolicyName": "DevMpaAdminPolicy",
        "Path": "/"
      ,
      "Metadata": 
        "aws:cdk:path": "FromStack/DevMpaAdminPolicy/Resource"
      
    ,
    "DevMpaAdminGroupREDACTED": 
      "Type": "AWS::IAM::Group",
      "Properties": 
        "ManagedPolicyArns": [
          
            "Ref": "DevMpaAdminPolicyREDACTED"
          
        ]
      ,
      "Metadata": 
        "aws:cdk:path": "FromStack/DevMpaAdminGroup/Resource"
      
    ,
    "CDKMetadata": 
      "Type": "AWS::CDK::Metadata",
      "Properties": 
        "Analytics": "v2:deflate64:REDACTED-B64"
      ,
      "Metadata": 
        "aws:cdk:path": "FromStack/CDKMetadata/Default"
      
    
  



环境规格

$ cdk --version
2.2.0 (build 4f5c27c)

$ cat /etc/redhat-release
Red Hat Enterprise Linux releease 8.5 (Ootpa)

$ python --version
Python 3.6.8

$ node --version
v16.8.0

【问题讨论】:

【参考方案1】:

角色 ARN rolename 不正确;我在iam 之后缺少了一个冒号。所以它是iam:: 而不是iam:。我想我从 Internet 上的某个(错误)示例中复制了单个冒号。嘎……

【讨论】:

以上是关于使用 MalformedPolicy 在 CDK 错误中创建托管策略的主要内容,如果未能解决你的问题,请参考以下文章

为啥我收到以下错误? “放置 S3 策略时出错:MalformedPolicy:策略的操作无效”

AWS CDK:有没有办法使用 CDK 创建数据库模式?

使用 CDK Deploy 需要哪些 IAM 权限?

AWS CDK - 云观察

通过 cloudformation 使用 aws `cdk synth` 输出

cdk抽奖怎么制作