下面是SAM模板:
<?php
namespace App\Observers;
use App\Account;
use App\Verification;
class UserObserver
{
/**
* Handle the User "created" event.
*
* @param \App\User $user
* @return void
*/
public function created(User $user)
{
(new Verification)->user()->associate($user);
$account = new Account;
$account->save();
$user->accounts()->attach([
$account->id
]);
}
}
:
Resources:
HelloWorldFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: hello-world/
Handler: app.LambdaHandler
Runtime: nodejs8.10
Events:
MySQSEvent:
Type: SQS
Properties:
Queue: !GetAtt SomeQueue.Arn
BatchSize: 10
PermissionsBoundary: "arn:aws:iam::${AWS::AccountId}:policy/AddPermission"
SomeQueue:
Type: AWS::SQS::Queue
AddPermission:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: "PermissionBoundaryForLogGroup"
Effect: "Allow"
Action:
- "logs:CreateLogGroup"
Resource:
- !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*"
如果我使用新堆栈,则错误为:{
"StackId": "arn:aws:cloudformation:us-east-1:285774445527:stack/somestack/f986eb30-a5a0-11e9-9771-1273bfab49fc",
"EventId": "cb4be9e0-a682-11e9-bac4-12d48e821f84",
"ResourceStatus": "UPDATE_ROLLBACK_IN_PROGRESS",
"ResourceType": "AWS::CloudFormation::Stack",
"Timestamp": "2019-07-14T22:00:29.808Z",
"ResourceStatusReason": "The following resource(s) failed to create: [AddPermission]. The following resource(s) failed to update: [HelloWorldFunctionRole]. ",
"StackName": "pocstack",
"PhysicalResourceId": "arn:aws:cloudformation:us-east-1:285774445527:stack/somestack/f986eb30-a5a0-11e9-9771-1273bfab49fc",
"LogicalResourceId": "pocstack"
},
{
"StackId": "arn:aws:cloudformation:us-east-1:285774445527:stack/pocstack/f986eb30-a5a0-11e9-9771-1273bfab49fc",
"EventId": "AddPermission-CREATE_FAILED-2019-07-14T22:00:29.100Z",
"ResourceStatus": "CREATE_FAILED",
"ResourceType": "AWS::IAM::ManagedPolicy",
"Timestamp": "2019-07-14T22:00:29.100Z",
"ResourceStatusReason": "Resource creation cancelled",
"StackName": "pocstack",
"ResourceProperties": "{\"PolicyDocument\":{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"logs:CreateLogGroup\"],\"Resource\":[\"arn:aws:logs:us-east-1:285774445527:log-group:*\"],\"Effect\":\"Allow\",\"Sid\":\"PermissionBoundaryForLogGroup\"}]}}",
"PhysicalResourceId": "arn:aws:iam::285774445527:policy/somestack-AddPermission-GKXVOXLQARLR",
"LogicalResourceId": "AddPermission"
},
为什么名称为"ResourceStatusReason": "Resource creation cancelled"的托管策略无法创建?
答案 0 :(得分:1)
与此相关的问题很少。
首先,您不能像这样对AddPermission的资源名称进行硬编码
PermissionsBoundary: "arn:aws:iam::${AWS::AccountId}:policy/AddPermission"
因为您不知道将要创建的资源的实际名称。会是这样的
arn:aws:iam::859119227216:policy/test-permissions-AddPermission-CK3PYCO10NV1
,结尾处是随机字符串。正确的引用方式是通过Ref函数。
PermissionsBoundary: !Ref AddPermission
另一个问题是您正在创建SQS轮询器lambda函数,但是您的权限边界阻止了SQS权限,因此堆栈将无法创建该lambda函数。
您将需要在权限边界中添加类似的内容(当然,您无需为任何资源添加完整的SQS权限,仅足以使功能与特定队列配合使用即可。)
- Sid: 'AllowReadSQSMessages'
Effect: 'Allow'
Action:
- 'sqs:*'
Resource: '*'
这里有个完整的模板可以工作(假设正确的代码位置和处理程序名称,但可以随时对其进行更改)。
Transform: 'AWS::Serverless-2016-10-31'
Resources:
HelloWorldFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: ./src
Handler: index.handler
Runtime: nodejs8.10
Events:
MySQSEvent:
Type: SQS
Properties:
Queue: !GetAtt SomeQueue.Arn
BatchSize: 10
PermissionsBoundary: !Ref AddPermission
SomeQueue:
Type: AWS::SQS::Queue
AddPermission:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: 'PermissionBoundaryForLogGroup'
Effect: 'Allow'
Action:
- 'logs:CreateLogGroup'
Resource:
- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*'
- Sid: 'AllowReadSQSMessages'
Effect: 'Allow'
Action:
- 'sqs:*'
Resource: '*'
虽然这将起作用,但是请确保您了解自己在做什么。权限边界将阻止不属于该权限的所有其他权限。例如,SAM将自动为CW日志创建必要的权限。那些是
您在权限范围内仅允许logs:CreateLogGroup,因此您的功能将无法将任何内容记录到CloudWatch。