如何调试cloudformation模板?策略中的语法错误。 YAML文件

时间:2018-08-23 09:48:36

标签: amazon-web-services configuration amazon-cloudformation amazon-iam

我在部署堆栈时遇到的错误:

Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 

这是我的角色政策,会导致错误:

  roleEc2:
Type: AWS::IAM::Role
Properties:
  AssumeRolePolicyDocument:
    Version: "2012-10-17"
    Statement:
      -
        Effect: Allow
        Principal:
          Service:
            - 'ec2.amazonaws.com'
        Action:
            - 'sts:AssumeRole'
  Path: '/'
  Policies:
    -
      PolicyName: 'bucket-access'
      PolicyDocument:
        Version: '2012-10-17'
        Id: 'BucketPolicy'
        Statement:
        - Effect: Allow
          Action:
          - s3:ListBucket
          - s3:GetObject
          - s3:GetBucketLocation
          Resource:
          - arn:aws:s3:::code-dir
          - arn:aws:s3:::code-dir/*
          Principal: !Ref BucketPrincipal

我不知道如何调试它,我也不知道如何理解错误在哪里,什么行号。

1 个答案:

答案 0 :(得分:1)

(我知道已经过了一年,但是仍然...)我喜欢使用的一个很好的工具是cfn-lint:https://github.com/aws-cloudformation/cfn-python-lint在您的模板上运行它,它将显示出您在做什么错,在哪一行:

代码中的问题:没有前四行,IAM策略中没有主体(最后一行)。

---
AWSTemplateFormatVersion: '2010-09-09'
Description: AoD CloudFormation Template Detective Controls
Resources:
  roleEc2:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: Allow
            Principal:
              Service:
                - 'ec2.amazonaws.com'
            Action:
                - 'sts:AssumeRole'
      Path: '/'
      Policies:
        -
          PolicyName: 'bucket-access'
          PolicyDocument:
            Version: '2012-10-17'
            Id: 'BucketPolicy'
            Statement:
            - Effect: Allow
              Action:
              - s3:ListBucket
              - s3:GetObject
              - s3:GetBucketLocation
              Resource:
              - arn:aws:s3:::code-dir
              - arn:aws:s3:::code-dir/*