通过 cloudformation 创建 IAM 角色时 policyName 出错

Posted

技术标签:

【中文标题】通过 cloudformation 创建 IAM 角色时 policyName 出错【英文标题】:Error in the policyName when creating IAM Role by cloudformation 【发布时间】:2017-06-11 18:22:45 【问题描述】:

这是角色sn-p:

"InstanceRole": 
  "Type": "AWS::IAM::Role",
  "Properties": 
    "AssumeRolePolicyDocument": 
      "Version" : "2012-10-17",
      "Statement": [ 
        "Effect": "Allow",
        "Principal": 
           "Service" : [  "Fn::FindInMap": [ "Region2Principal",  "Ref": "AWS::Region" ,"EC2Principal" ]  ] ,
        "Action"  : [ "sts:AssumeRole" ]
      ]
    ,
    "Path": "/",
    "Policies": [
      "PolicyName": "Fn::Join" : ["",["AWS::StackName","InstanceApi"] ] ,
      "PolicyDocument": 
        "Statement": [
          "Effect": "Allow",
          "Action": "*",
          "Resource": "*"
        ]
      
    ]
  
,

这是错误:The specified value for policyName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_-

我输入的AWS::StackName的值为tmplt-stack,生成的报错策略名称为:tmplt-stack-InstanceApi-O7KF5OL0TA2Q

我不明白为什么 cloudformation 拒绝该名称,即使它只包含几个字符“-”并且根​​据错误消息是允许的,其余都是字母数字字符。

【问题讨论】:

【参考方案1】:

这是我在使用伪参数AWS::StackName时犯的大错,我没有用Ref调用它

"InstanceRole": 
  "Type": "AWS::IAM::Role",
  "Properties": 
    "AssumeRolePolicyDocument": 
      "Version" : "2012-10-17",
      "Statement": [ 
        "Effect": "Allow",
        "Principal": 
           "Service" : [  "Fn::FindInMap": [ "Region2Principal",  "Ref": "AWS::Region" ,"EC2Principal" ]  ] ,
        "Action"  : [ "sts:AssumeRole" ]
      ]
    ,
    "Path": "/",
    "Policies": [
      "PolicyName": "Fn::Join" : ["",["Ref":"AWS::StackName","InstanceApi"] ] ,
      "PolicyDocument": 
        "Statement": [
          "Effect": "Allow",
          "Action": "*",
          "Resource": "*"
        ]
      
    ]
  
,

【讨论】:

以上是关于通过 cloudformation 创建 IAM 角色时 policyName 出错的主要内容,如果未能解决你的问题,请参考以下文章

IAM 的 AWS Cloudformation 模板帮助

使用 Cloudformation 创建 KMS 密钥时出现消息“没有 IAM 权限来处理 AWS::KMS::Key 资源上的标签”

Cloudformation 的最低权限 AWS IAM 策略

使用 CDK Deploy 需要哪些 IAM 权限?

需要功能:[CAPABILITY_IAM] Cloudformation AWS 控制台

如何根据 IAM 角色 CloudFormation 模板中的参数提供不同的条件