联合AWS CDK IAM和用户IamRoleAccess?

时间:2018-10-18 18:41:24

标签: amazon-web-services roles amazon-iam aws-cdk

我想知道如何将承担角色策略文档设置为比服务更复杂的内容...

这是我到目前为止发现的,也许可以使用:

std::mutex m;
std::condition_variable cv;
std::atomic_bool state; 

void worker_thread()
{
    std::this_thread::sleep_for(std::chrono::seconds(5)); //do some work here
    std::lock_guard<std::mutex> lk(m); //avoids cv to get notified before been in wait state
    state.store(true);      
    cv.notify_one();
}

int main()
{
    state.store(false); //set initial state
    std::thread worker(worker_thread);

    std::cout << "Start waiting..." << std::endl;
    std::unique_lock<std::mutex> lk(m);
    cv.wait(lk, [] {
        return state.load(); //returns ​false if the waiting should be continued. 
    });
    std::cout << "Finished waiting..." << std::endl;

    worker.join();

    std::cin.get();
    return 0;
}

但是我想添加如下内容:

def firstPipelineCreator = loadScript("firstPipelineCreator")
firstPipelineCreator.createPipeline()

我不知道如何实现这一目标...您能帮我吗?

好的,可以做这样的事情:

rootDir = "" + SEED_JOB.workspace
jobDsl = this

def loadScript(String scriptName) {
    // Create the binding and put there varaibles/methods that will be available
    // in every script that has been loaded via loadScript
    scriptBindings = new Binding(this.binding.variables)
    scriptBindings.setVariable("jobDsl", jobDsl)
    scriptBindings.setVariable("rootDir", rootDir)
    scriptBindings.setVariable("loadScript", this.&loadScript)
    scriptBindings.setVariable("logInfo", this.&logInfo)
    scriptBindings.setVariable("logDebug", this.&logDebug)
    shell = new GroovyShell(scriptBindings)

    logDebug "Loading script '" + scriptName + ".groovy" + "'"

    script = shell.parse(new File(rootDir, scriptName + ".groovy"))
    return script.run() // The script should have 'return this' as the last statement
}

def logInfo(text) {
    println "[INFO ] " + text
}

def logDebug(text) {
    println "[DEBUG] " + text
}

那很容易:-/但是现在我想添加两个带有动作sts:AssumeRole的角色-我不知道如何添加另一个主体...

2 个答案:

答案 0 :(得分:1)

幸运的是,https://github.com/aws/aws-cdk/pull/1377提供了我们需要的修复程序。现在,您可以使用aws_iam.CompositePrincipal添加包括服务原则在内的多个原则。

例如,在Python中充当数据管道角色:

pipeline_role = aws_iam.Role(
    scope=self, id='pipeline-role',
    role_name='pipeline',
    assumed_by=aws_iam.CompositePrincipal(
        aws_iam.ServicePrincipal('datapipeline.amazonaws.com'),
        aws_iam.ServicePrincipal('elasticmapreduce.amazonaws.com')
    )
)

答案 1 :(得分:0)

iam.RoleProps#assumedBy的文档中提到您可以使用iam.Role#assumeRolePolicy属性访问假定策略。您可以尝试以下操作:

this.TestRole = new iam.Role(this, 'Test', {
  assumedBy: new iam.FederatedPrincipal(/*...*/)
  /* ... */
});
this.TestRole.assumeRolePolicy.addStatement(
  new iam.PolicyStatement().allow()
                           .addAction('sts:AssumeRole')
                           .addAwsPrincipal('arn:aws:iam::account1:role/Role1')
                           .addAwsPrincipal('arn:aws:iam::account2:role/Role2')
);
相关问题
最新问题