计划创建一个CFT,该CFT需要3个角色,并附带托管策略和内联策略

时间:2019-04-26 09:51:50

标签: amazon-web-services amazon-cloudformation

我正在尝试创建一个具有以下内容的CFT: 1.托管策略具有3个不同的角色 2.内联策略,应将其添加到CFT中创建的三个角色中。

但是我不能这样做,因为这使我抛出错误,说必须定义至少一个资源。

请帮助我实现这一目标。

{     “ AWSTemplateFormatVersion”:“ 2010-09-09”,     “资源”:{

    "EMRDefaultRole": {
        "Type": "AWS::IAM::Role",
        "Properties": {
            "RoleName": "EMR_DefaultRole",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [{
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "elasticmapreduce.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }]
            },
            "ManagedPolicyArns": [
                "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole"
            ]
        }
    },
    "EMREC2DefaultRole": {
        "Type": "AWS::IAM::Role",
        "Properties": {
            "RoleName": "EMR_EC2_DefaultRole",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [{
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }]
            },
            "ManagedPolicyArns": [
                "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role"
            ]
        }
    },
    "EMRAutoScalingDefaultRole": {
        "Type": "AWS::IAM::Role",
        "Properties": {
            "RoleName": "EMR_AutoScaling_DefaultRole",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [{
                    "Effect": "Allow",
                    "Principal": {
                        "Service": [ "elasticmapreduce.amazonaws.com",
                        "application-autoscaling.amazonaws.com"]
                    },
                    "Action": "sts:AssumeRole"
                }]
            },
            "ManagedPolicyArns": [
                "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole"
            ]
        }
    },
    "EMRS3Policies": {
        "Type": "AWS::IAM::Policy",
        "Properties": {
            "PolicyName": "Moodys-IAM-EMR-S3-Access-Policy",
            "PolicyDocument": {
                "Statement": [{
                        "Effect": "Allow",
                        "Action": [
                            "s3:HeadBucket",
                            "s3:GetObject"
                        ],
                        "Resource": {
                            "Fn::Join": ["", ["arn:aws:s3:::mit-", {
                                "Ref": "AWS::AccountId"
                            }, "-emr-files/*"]]
                        }
                    }

                ]
            },
            "Roles": [{
                "Ref": "EMRDefaultRole"},
                {"Ref": "EMREC2DefaultRole"},
                {"Ref": "EMRAutoScalingDefaultRole"
            }]
        }
    }
}

}

就像我期望的那样,三个角色将附加托管策略和内联策略。

1 个答案:

答案 0 :(得分:1)

您在角色声明中缺少resource属性。

"Statement": [{
    "Effect": "Allow",
    "Principal": {
        "Service": [ "elasticmapreduce.amazonaws.com",
        "application-autoscaling.amazonaws.com"]
     },
     "Action": "sts:AssumeRole"
 }]

这应该是(它适用于所有语句)

 "Statement": [{
    "Effect": "Allow",
    "Principal": {
        "Service": [ "elasticmapreduce.amazonaws.com",
        "application-autoscaling.amazonaws.com"]
     },
     "Action": "sts:AssumeRole",
     "Resource": [
         "arn-of-your-resource-or-wildcard"
     ]
 }]
相关问题
最新问题