如何在cloudformation策略文档中引用资源ARN? (yaml)

时间:2019-11-28 22:56:26

标签: amazon-web-services yaml amazon-cloudformation amazon-iam

我正在尝试在cloudformation(yaml)中的角色和用户之间定义信任关系策略文档。

要在角色AssumeRolePolicyDocument中指定用户的ARN,我想从实际的cloudformation资源中引用ARN,而不必构造ARN字符串。

但是,它不起作用。当我使用!Ref rUser时,在创建cloudformation堆栈“策略中的无效主体”时出现错误。

当我只将ARN字符串粘贴为值时,它就可以工作。是因为!Ref rUser返回用户对象类型并且不求值为字符串吗?如果是这样,如何从资源中引用ARN?

代码:

  rUser:
    Type: "AWS::IAM::User"
    Properties:
      UserName: "my_user"

  rRole:
    DependsOn: rRole
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "my_role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Principal:
              AWS:
                # this does not work, gives error "Invalid Principal in policy"
                - !Ref rUser
                # this does work (just hard coding the ARN string):
                # - "arn:aws:iam::111111111111:user/my_user"
            Action:
              - "sts:AssumeRole"

1 个答案:

答案 0 :(得分:0)

只需使用GetAtt函数就可以弄清楚了……

  rRole:
    DependsOn: rRole
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "my_role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Principal:
              AWS:
                - !GetAtt rExternalUser.Arn  # use the GetAtt function
            Action:
              - "sts:AssumeRole"
相关问题
最新问题