我正在尝试将AWS Lambda发布到我的客户AWS帐户,但是我一直收到此错误消息。
Error creating CloudFormation change set: User: arn:aws:iam::xxxxxx:user/testuser is not authorized to perform: cloudformation:CreateChangeSet on resource: arn:aws:cloudformation:eu-west-1:xxxx:stack/test-Stack/*
当我使用自己的帐户进行测试时,我为IAM用户添加了“ AdministratorAccess”策略,该策略基本上允许所有操作。
我检查了策略,只有“ CloudFormationReadonlyAccess”,但是这些策略不允许写入/删除。我应该要求我的客户为IAM用户分配什么政策?
我也尝试过添加角色
"cloudformation:CreateStack",
"cloudformation:CreateChangeSet",
"cloudformation:ListStacks",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet"
但发生相同的错误。
答案 0 :(得分:0)
您需要指定允许执行这些操作的资源。具体来说
- Action:
- cloudformation:CreateStack
- cloudformation:DeleteStack
- cloudformation:UpdateStack
- cloudformation:DescribeStacks
- cloudformation:DescribeChangeSet
- cloudformation:CreateChangeSet
- cloudformation:DeleteChangeSet
- cloudformation:ExecuteChangeSet
Effect: Allow
Resource:
- !Join
- ':'
- - arn
- aws
- cloudformation
- !Ref 'AWS::Region'
- !Ref 'AWS::AccountId'
- !Join
- /
- - stack
- test-stack
- '*'
还要检查sts:AssumeRole服务是否是cloudformation.amazonaws.com