我在部署堆栈时遇到的错误:
Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID:
这是我的角色政策,会导致错误:
roleEc2:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: Allow
Principal:
Service:
- 'ec2.amazonaws.com'
Action:
- 'sts:AssumeRole'
Path: '/'
Policies:
-
PolicyName: 'bucket-access'
PolicyDocument:
Version: '2012-10-17'
Id: 'BucketPolicy'
Statement:
- Effect: Allow
Action:
- s3:ListBucket
- s3:GetObject
- s3:GetBucketLocation
Resource:
- arn:aws:s3:::code-dir
- arn:aws:s3:::code-dir/*
Principal: !Ref BucketPrincipal
我不知道如何调试它,我也不知道如何理解错误在哪里,什么行号。
答案 0 :(得分:1)
(我知道已经过了一年,但是仍然...)我喜欢使用的一个很好的工具是cfn-lint:https://github.com/aws-cloudformation/cfn-python-lint在您的模板上运行它,它将显示出您在做什么错,在哪一行:
代码中的问题:没有前四行,IAM策略中没有主体(最后一行)。
---
AWSTemplateFormatVersion: '2010-09-09'
Description: AoD CloudFormation Template Detective Controls
Resources:
roleEc2:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: Allow
Principal:
Service:
- 'ec2.amazonaws.com'
Action:
- 'sts:AssumeRole'
Path: '/'
Policies:
-
PolicyName: 'bucket-access'
PolicyDocument:
Version: '2012-10-17'
Id: 'BucketPolicy'
Statement:
- Effect: Allow
Action:
- s3:ListBucket
- s3:GetObject
- s3:GetBucketLocation
Resource:
- arn:aws:s3:::code-dir
- arn:aws:s3:::code-dir/*