以下cloudformation模板在第9行给出错误:
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Policy to allow send receive message from SQS Queue",
"Resources" : {
"MyPolicy" : {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "CFUsers",
"Roles": [ { "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role" } ],
"PolicyDocument" : {
"Version" : "2012-10-17",
"Statement": [
{
"Sid": "Sid1482400105445",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role"
},
"Action": [
"SQS:SendMessage",
"SQS:ReceiveMessage",
"SQS:DeleteMessage",
"SQS:GetQueueUrl"
],
"Resource": "arn:aws:sqs:ap-south-1:710161973367:CFI-Trace"
}
]
}
}
}
}
我希望角色Cognito_CFIAuth_Role在SQS队列CFI-Trace上具有消息发送/读取/删除优先级。如何将SQS操作权限附加到IAM角色?
答案 0 :(得分:2)
首先,第9行包含JSON语法错误,应删除角色字符串周围的括号{}
:
"Roles": [ "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role" ],
其次,AWS::IAM::Policy
的Roles
属性接受“{strong>名称 AWS::IAM::Role
s附加到此政策”,而不是完整的ARN,所以你的行应该是:
"Roles": [ "Cognito_CFIAuth_Role" ],
您的示例末尾还需要缺少结束括号}
。
答案 1 :(得分:1)
使用“AWS :: IAM :: Policy”资源,您将创建内联策略。 http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html解释说这会列出“AWS :: IAM :: Roles的名称”,我将其视为同一堆栈中定义的角色资源的逻辑名称。
如果要将策略附加到预先存在的角色,则应使用ManagedPolicy类型。 http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-roles采用先前存在的角色的名称。
答案 2 :(得分:0)
Cloudformation类型IAM :: Policy适用于用户和组。角色和实例配置文件适用于ec2。你把两个想法混为一谈。如果您具有在不同CFN中预定义的角色,那么您只使用EC2实例的实例配置文件,如果没有,您也可以创建它然后再参考
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ {
"arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role"
} ]
}
}
或
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"SQSRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"SQS:SendMessage",
"SQS:ReceiveMessage",
"SQS:DeleteMessage",
"SQS:GetQueueUrl"
],
"Resource": "arn:aws:sqs:ap-south-1:710161973367:CFI-Trace"
}
]
}
}
]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "SQSRole"
}
]
}
}
}
}
IAM政策
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html
IAM角色 http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html
现在还有SQS政策 http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-policy.html