无法使用cloudformation创建加密密钥

时间:2017-09-20 11:51:19

标签: amazon-web-services amazon-cloudformation amazon-iam aws-kms amazon-kms

我正在尝试使用cloudformation创建加密密钥。所以只是为了测试我有一个非常简单的如下:

{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Creates a KMS key and attaches a policy similar to the default policy. Also, creates two Roles which allow encryption and decryption under this key.",
    "UserPrincipal": {
        "Type": "String",
        "Default": "user/datadog"
    }
},
"Resources": {
    "DemonstrationKey": {
        "Type": "AWS::KMS::Key",
        "Properties": {
            "KeyPolicy": {
                "Id": "DefaultKmsPolicy",
                "Version": "2012-10-17",
                "Statement": [{
                    "Sid": "Enable IAM User Permissions",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": [{
                            "Fn::Join": [
                                ":", [
                                    "arn:aws:iam:",
                                    {
                                        "Ref": "AWS::AccountId"
                                    },
                                    "root"
                                ]
                            ]
                        }]
                    },
                    "Action": "kms:*",
                    "Resource": "*"
                }]
            }
        }
    }
},
"Outputs": {
    "KeyID": {
        "Description": "Key ID",
        "Value": {
            "Ref": "DemonstrationKey"
        }
    }
}

}

它工作正常,但这不是我想要的。相反,我想将现有的政策附加到它,例如:像这样:

{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Creates a KMS key and attaches a policy similar to the default policy. Also, creates two Roles which allow encryption and decryption under this key.",
    "UserPrincipal": {
        "Type": "String",
        "Default": "user/datadog"
    }
},
"Resources": {
    "DemonstrationKey": {
        "Type": "AWS::KMS::Key",
        "Properties": {
            "KeyPolicy": "arn:aws:iam::******:policy/testtestpol1"
        }
    }
},
"Outputs": {
    "KeyID": {
        "Description": "Key ID",
        "Value": {
            "Ref": "DemonstrationKey"
        }
    }
}
 }

但这不起作用,我收到以下错误:

MalformedPolicyDocumentException

任何人都可以帮助我。它可以吗?

0 个答案:

没有答案