我正在尝试使用cloudformation模板创建一个包含嵌入式策略的角色:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"SQSRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "sqs.amazonaws.com" ]
},
"Action": [
"SQS:SendMessage",
"SQS:ReceiveMessage",
"SQS:DeleteMessage",
"SQS:GetQueueUrl"
]
} ]
},
"Path": "/"
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ {
"Ref": "SQSRole"
} ]
}
}
}
}
它出现错误“策略中的无效主体:”SERVICE“:”sqs.amazonaws.com“。
我还试过替换SQS队列的确切URL:“SERVICE”:“sqs.ap-south-1.amazonaws.com/710161973367/CFI-Trace”
仍然会出现同样的错误。不确定要为sqs指定什么服务。
答案 0 :(得分:1)
如果您尝试创建由EC2实例承担的IAM角色,则应使用此角色:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"SQSRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "SqsAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"SQS:SendMessage",
"SQS:ReceiveMessage",
"SQS:DeleteMessage",
"SQS:GetQueueUrl"
],
"Resource": [
"*"
]
}
]
}
}
]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "SQSRole"
}
]
}
}
}
}
请注意,将承担您的IAM角色的服务现在为ec2.amazonaws.com。此外,现在只允许EC2服务承担您的IAM角色(通过sts:AssumeRole)。最后,您的所有sqs:*操作都已移至IAM角色的Policies属性中。