我正在尝试使用cloudformation模板通过以下策略创建新的IAM角色。 需要使用实际值替换CW_NAMESPACE和LOG_GROUP_ARN。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "cloudwatch:PutMetricData",
"Resource": "*",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": "CW_NAMESPACE"
}
}
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups"
],
"Resource": "LOG_GROUP_ARN"
}
]
}
任何有关如何使用模板自动创建角色的建议都会受到赞赏。
我在这里找到了这个模板...
https://cloudonaut.io/seamless-ec2-monitoring-with-the-unified-cloudwatch-agent/
答案 0 :(得分:1)
以下是如何在CloudFormation模板中创建IAM角色的示例。
Resources:
LambdaLoadInventoryRole:
Type: AWS::IAM::Role
Properties:
RoleName: Lambda-Load-Inventory-Role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
- arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
Policies:
- PolicyName: CWLogsPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: arn:aws:logs:*:*:*
Effect: Allow
"Resources": {
"CommonResourceRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
},
"Policies": [
{
"PolicyName": "LambdaPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": "CW_NAMESPACE"
}
}
}
]
}
}
]
}
}
}