在Cloud Formation模板中,我具有适用于不同环境的IAM映射:
Mappings:
EnvironmentToIAMInstanceProfileARN:
dev:
Profile: [ "arn:aws:iam::0000000000:role/AnInstanceProfile" ]
test:
Profile: [ "arn:aws:iam::0000000001:role/AppServerInstanceProfile",
"arn:aws:iam::0000000001:role/AppProvisioningRole"]
我正在创建一个S3存储桶,需要向委托人提供IAM配置文件:
AppS3BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref S3NameParam
PolicyDocument:
Statement:
- Sid: 'Restrict access to the IAM Instance ARN'
Effect: Allow
Principal: '*' # !FindInMap [EnvironmentToIAMInstanceProfileARN, !Ref 'EnvType', Profile]
Action:
- 's3:GetBucketAcl'
- 's3:GetBucketLocation'
- 's3:GetObject'
- 's3:ListBucket'
- 's3:PutObject'
Resource:
- !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3NameParam
- ''
- !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3NameParam
- /*
如果我将'*'分配给Prinicpal,则可以使用,但是我正在尝试查找映射:
Principal: !FindInMap [EnvironmentToIAMInstanceProfileARN, !Ref 'EnvType', Profile]
这不起作用,并导致错误:
无效的存储桶策略语法。 (服务:Amazon S3;状态代码:400; 错误代码:MalformedPolicy;
有人知道我该怎么做,还是为什么失败?
ps EnvType参数确实存在:
Parameters:
EnvType:
Description: Environment Name
Default: test
Type: String
AllowedValues: [dev, test, prod]
答案 0 :(得分:0)
根据本文,语法需要具有Service。 https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
JSON:
"Principal": {
"Service": [
"elasticmapreduce.amazonaws.com",
"datapipeline.amazonaws.com"
]
但是,按照其他一些文档,我算出了它的AWS而不是Service:
JSON:
"Principal": {
"AWS": [
"elasticmapreduce.amazonaws.com",
"datapipeline.amazonaws.com"
]
YAML解决方案:
Principal:
AWS:
!FindInMap [EnvironmentToIAMInstanceProfileARN, !Ref 'EnvType', Profile]