将策略附加到IAM角色

时间:2017-01-03 00:58:04

标签: amazon-web-services amazon-sqs amazon-cloudformation amazon-iam

以下cloudformation模板在第9行给出错误:

{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Policy to allow send receive message from SQS Queue",
"Resources" : {
"MyPolicy" : {
  "Type" : "AWS::IAM::Policy",
    "Properties" : {
        "PolicyName" : "CFUsers",
        "Roles": [ { "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role" } ],
        "PolicyDocument" : {
            "Version" : "2012-10-17",
            "Statement": [
            {
                "Sid": "Sid1482400105445",
                "Effect": "Allow",
                "Principal": {
                    "AWS":         "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role"
                },
                "Action": [
                    "SQS:SendMessage",
                    "SQS:ReceiveMessage",
                    "SQS:DeleteMessage",
                    "SQS:GetQueueUrl"
                ],
                "Resource": "arn:aws:sqs:ap-south-1:710161973367:CFI-Trace"
            }
            ]
        }
    }
 }
 }

我希望角色Cognito_CFIAuth_Role在SQS队列CFI-Trace上具有消息发送/读取/删除优先级。如何将SQS操作权限附加到IAM角色?

3 个答案:

答案 0 :(得分:2)

首先,第9行包含JSON语法错误,应删除角色字符串周围的括号{}

        "Roles": [ "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role" ],

其次,AWS::IAM::PolicyRoles属性接受“{strong>名称 AWS::IAM::Role s附加到此政策”,而不是完整的ARN,所以你的行应该是:

        "Roles": [ "Cognito_CFIAuth_Role" ],

您的示例末尾还需要缺少结束括号}

答案 1 :(得分:1)

使用“AWS :: IAM :: Policy”资源,您将创建内联策略。 http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html解释说这会列出“AWS :: IAM :: Roles的名称”,我将其视为同一堆栈中定义的角色资源的逻辑名称。

如果要将策略附加到预先存在的角色,则应使用ManagedPolicy类型。 http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-roles采用先前存在的角色的名称。

答案 2 :(得分:0)

Cloudformation类型IAM :: Policy适用于用户和组。角色和实例配置文件适用于ec2。你把两个想法混为一谈。如果您具有在不同CFN中预定义的角色,那么您只使用EC2实例的实例配置文件,如果没有,您也可以创建它然后再参考

"RootInstanceProfile": {
     "Type": "AWS::IAM::InstanceProfile",
     "Properties": {
        "Path": "/",
        "Roles": [ {
           "arn:aws:iam::710161973367:role/Cognito_CFIAuth_Role"
        } ]
     }
  }

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
  "SQSRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "ec2.amazonaws.com"
              ]
            },
            "Action": [
              "sts:AssumeRole"
          ]
        }
      ]
    },
    "Path": "/",
    "Policies": [
      {
        "PolicyName": "root",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "SQS:SendMessage",
                "SQS:ReceiveMessage",
                "SQS:DeleteMessage",
                "SQS:GetQueueUrl"
              ],
              "Resource": "arn:aws:sqs:ap-south-1:710161973367:CFI-Trace"
            }
          ]
        }
      }
    ]
  }
},
    "RootInstanceProfile": {
      "Type": "AWS::IAM::InstanceProfile",
      "Properties": {
        "Path": "/",
        "Roles": [
          {
            "Ref": "SQSRole"
          }
        ]
      }
    }
  }
}

IAM政策

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html

IAM角色 http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html

现在还有SQS政策 http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-policy.html