一种资源可能引用另一种资源?

时间:2019-08-31 17:33:28

标签: serverless-framework

我在serverless.yml文件中定义了一个S3存储桶,如下所示:

resources:
  Resources:
    nameOfS3Bucket:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: ${self:custom.stage}-name-of-s3-bucket
        AccessControl: Private

我现在想做的是在IAM角色中引用存储区的arn,例如,它也被定义为资源。

resources:
  Resources:
    # s3 bucket definition removed for brevity
    iamRoleName:
      Type: AWS::IAM::Role
      Properties:
        RoleName: ${self:custom.stage}-iam-role-name
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - lambda.amazonaws.com
              Action: sts:AssumeRole
        Policies:
          - PolicyName: ${self:custom.stage}-iam-role-policy
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Effect: Allow
                  Action: "s3:PutObject"
                  Resource: *** Need the ARN of the s3 bucket here***

有没有办法做到这一点?

1 个答案:

答案 0 :(得分:0)

以我的经验,intrinsic functionsserverless.yml内可以正常工作,但不是 yaml简短形式。

即在Fn::GetAtt上使用!GetAtt

只要您对yaml使用完整语法,它应该有效。

尝试一下(未试用)

resources:
  Resources:
    nameOfS3Bucket:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: ${self:custom.stage}-name-of-s3-bucket
        AccessControl: Private
    iamRoleName:
      Type: AWS::IAM::Role
      Properties:
        RoleName: ${self:custom.stage}-iam-role-name
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - lambda.amazonaws.com
              Action: sts:AssumeRole
        Policies:
          - PolicyName: ${self:custom.stage}-iam-role-policy
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Effect: Allow
                  Action: "s3:PutObject"
                  Resource: 
                    "Fn::GetAtt": [ nameOfS3Bucket, Arn ]