我需要通过以下链接创建基于资源的策略。因此,我已经使用boto3实现了这一点。
下面是python脚本。
import boto3, json
from assume_role import credentials
if __name__ == "__main__":
credentials = credentials("AssumeRoleSessionEBSEncryption")
iam = boto3.client(
'iam',
region_name='eu-central-1',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'],
)
my_managed_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow",
"Effect": "Allow",
"Principal": {
"Service": [
"mq.amazonaws.com"
]
},
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/amazonmq/*"
}
]
}
response = iam.create_policy(
PolicyName='MQPolicy',
PolicyDocument=json.dumps(my_managed_policy)
)
print(response)
执行脚本后出现以下错误。请提出建议。
Traceback (most recent call last):
File "mq_iam_policy.py", line 32, in <module>
PolicyDocument=json.dumps(my_managed_policy)
File "/home/ec2-user/workspace/scripts/venv/lib64/python3.7/site-packages/boto3/resources/factory.py", line 520, in do_action
response = action(self, *args, **kwargs)
File "/home/ec2-user/workspace/scripts/venv/lib64/python3.7/site-packages/boto3/resources/action.py", line 83, in __call__
response = getattr(parent.meta.client, operation_name)(**params)
File "/home/ec2-user/workspace/scripts/venv/lib64/python3.7/site-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/home/ec2-user/workspace/scripts/venv/lib64/python3.7/site-packages/botocore/client.py", line 661, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.MalformedPolicyDocumentException: An error occurred (MalformedPolicyDocument) when calling the CreatePolicy operation: Policy document should not specify a principal.
[
最终答案:-
import boto3, json
import os
from assume_role import get_temporary_credentials
AWS_ACCOUNT_ID = os.environ['AWS_ACCOUNT_ID']
AWS_ROLE = os.environ['AWS_ROLE']
if __name__ == "__main__":
credentials = get_temporary_credentials("AssumeRoleSessionEBSEncryption")
client = boto3.client(
'logs',
region_name='eu-central-1',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'],
)
response = client.put_resource_policy(
policyName='MQPolicy',
policyDocument='{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "mq.amazonaws.com" }, "Action":[ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource" : "arn:aws:logs:*:*:log-group:/aws/amazonmq/*" } ] }'
)
print(response)
答案 0 :(得分:2)
Amazon MQ不支持以下AWS文章中所述的基于资源的策略:
此外,根据用于为Amazon MQ配置基于资源的策略的AWS文档,请使用AWS CloudWatchLogs服务的put_resource_policy操作。
参考文献:
Configure resource based policy for Amazon MQ
Boto3 documentation for CloudWatchLogs put_resource_policy
AWS CLI示例:
aws --region us-east-1 logs put-resource-policy --policy-name AmazonMQ-logs \
--policy-document '{ "Version": "2012-10-17", "Statement": [ {
"Effect": "Allow", "Principal": { "Service": "mq.amazonaws.com" },
"Action":[ "logs:CreateLogStream", "logs:PutLogEvents" ],
"Resource" : "arn:aws:logs:*:*:log-group:/aws/amazonmq/*" } ] }'
答案 1 :(得分:1)
正如我告诉您的,在这种情况下您不能使用委托人。参见documentation。
为了使用委托人,该策略应基于资源。
基于资源的策略–您可以将基于资源的策略附加到服务中的资源。基于资源的策略包括Principal元素,以指定哪些IAM身份可以访问该资源。有关更多信息,请参见基于身份的策略和基于资源的策略。
但是,MQ不支持文档中提到的基于资源的策略。
答案 2 :(得分:0)
亲爱的,在这里...
安装适用于Windows的AWS CLI代理并配置您的凭证https://docs.aws.amazon.com/cli/latest/userguide/install-windows.html
在“ C:\ Users \ YOUR-USER \” 中创建包含策略的JSON文件。例如: C:\ Users \ YOUR-USER \ policy.json 。您可以在此处简单地复制此文件,然后粘贴到您的.json文件中:
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": "mq.amazonaws.com"},"Action":["logs:CreateLogStream","logs:PutLogEvents"],"Resource" : "arn:aws:logs:*:*:log-group:/aws/amazonmq/*"}]}
打开您的CMD,只需键入:
aws --region eu-central-1 logs put-resource-policy --policy-name amazonmq_to_cloudwatch --policy-document file://policy.json
做得好!这将创建一个 AWS资源策略,有时无法在IAM控制台中创建。