我使用了“ Fn :: Sub”解决方案,但我不知道为什么它不起作用。
我尝试添加方括号,删除方括号,仅使用一个字符串,使用多个字符串等。现在,我陷入了“此策略包含以下错误:语法错误...”的问题(后接一行) /位置)在“ Fn :: Sub”的第二个实例中。
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:policy/[roleName]"
}
}, "Action": [
"iam:policy1",
"iam:policy2"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:etc",
"iam:etc2",
"iam:etc3"
],
"Resource": "*",
"Effect": "Deny"
},
{
"Action": "iam:*",
"Resource": [
{"Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/[rolename]"},
{"Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/[rolename]"}
],
"Effect": "Deny"
}
] }
“ Fn :: Sub”在代码的第一部分中在“ StringEquals”:之后可以正常工作,但在“ Resource”之后不能: 我收到语法错误。 我以前没有这样的问题:
"Action": "iam:*",
"Resource": [
"arn:aws:iam::[12-digitID]:role/[rolename]",
"arn:aws:iam::[12-digitID]:role/[rolename]"}
],
"Effect": "Deny"
}
但是,我希望能够在所有帐户中部署此帐户而无需对帐户ID进行硬编码。我在做什么错了?