云的形成不会生成模板中所述的策略。
我想以我的角色创建/重新创建此完全相同的政策。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudWatch:ListDashboards"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "cloudwatch:GetDashboard",
"Resource": "arn:aws:cloudwatch::xxxx:dashboard/test"
}
]
}
这是我的云形成模板(请参阅政策):
CustomResourceRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName:
!Sub
- Cloudwatch${PolicyCustomName}DashboardAccessPolicy
- { PolicyCustomName: !Ref Tenant }
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: [
"cloudWatch:ListDashboards"
]
Resource: '*'
Action: 'cloudwatch:GetDashboard'
Resource: 'arn:aws:cloudwatch::xxxx:dashboard/Test'
RootInstanceProfile:
Type: 'AWS::IAM::InstanceProfile'
Properties:
Path: /
Roles:
- !Ref CustomResourceRole
但是,这不会生成所需的策略。我得到以下输出缺少我想要的策略的第一部分,为什么?
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "cloudwatch:GetDashboard",
"Resource": "arn:aws:cloudwatch::xxxx:dashboard/Test",
"Effect": "Allow"
}
]
}
答案 0 :(得分:2)
您为同一个Action提供了两个Statement,而Cloud Formation引擎使用了后者,覆盖了cloudWatch:ListDashboards。
由于Statement是一个列表,因此您可以编写以下两个语句:
CustomResourceRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName:
!Sub
- Cloudwatch${PolicyCustomName}DashboardAccessPolicy
- { PolicyCustomName: !Ref Tenant }
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: "cloudWatch:ListDashboards"
Resource: '*'
- Effect: Allow
Action: 'cloudwatch:GetDashboard'
Resource: 'arn:aws:cloudwatch::xxxx:dashboard/Test'
RootInstanceProfile:
Type: 'AWS::IAM::InstanceProfile'
Properties:
Path: /
Roles:
- !Ref CustomResourceRole