任何人都可以帮助我将此CloudFormation“转换”为CDK(Java或Java)吗?我试图这样做,但这是我第一次与CDK合作,我不确定该怎么做。我真的很喜欢。
FargateTaskExecutionServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: AmazonECSTaskExecutionRolePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'ecr:GetAuthorizationToken'
- 'ecr:BatchCheckLayerAvailability'
- 'ecr:GetDownloadUrlForLayer'
- 'ecr:BatchGetImage'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: '*'
答案 0 :(得分:10)
您应该参考API reference document以获得清晰的图片。有一些用例的例子。
但是,由于您已经在这里问过,并且我的手很想为您提供答案,因此这里仅介绍IAM部分的TypeScript实现:
import {
ManagedPolicy,
Role,
ServicePrincipal,
PolicyStatement,
Effect
} from '@aws-cdk/aws-iam';
....
....
const ecsFargateServiceRole = new Role(this, 'FargateTaskExecutionServiceRole', {
assumedBy: new ServicePrincipal('ecs-tasks.amazonaws.com')
});
// Add a policy to a Role
ecsFargateServiceRole.addToPolicy(
new PolicyStatement({
effect: Effect.ALLOW,
resources: ['*'],
actions: [
'ecr:GetAuthorizationToken',
'ecr:BatchCheckLayerAvailability',
'ecr:GetDownloadUrlForLayer',
'ecr:BatchGetImage',
'logs:CreateLogStream',
'logs:PutLogEvents'
]
})
);
// Add a managed policy to a role you can use
ecsFargateServiceRole.addManagedPolicy(
ManagedPolicy.fromAwsManagedPolicyName('AmazonECSTaskExecutionRolePolicy')
);
....
....
更新:
将AWS托管策略添加到角色时,您可以通过its name或its ARN获取托管策略作为参考。重要的部分是,如果按名称或ARN按上述方式使用AWS托管策略,则无需显式使用策略语句。从上面的回答中,您可以使用托管策略方法,而不是使用策略声明。
现在定义角色的简单方法是:
const ecsFargateServiceRole = new Role(this, 'FargateTaskExecutionServiceRole', {
assumedBy: new ServicePrincipal('ecs-tasks.amazonaws.com'),
managedPolicies: [
ManagedPolicy.fromAwsManagedPolicyName('AmazonECSTaskExecutionRolePolicy')
]
});
请注意,为简洁起见,我已排除了“构造器”的构造器。
答案 1 :(得分:1)
尝试以下代码。它执行并创建角色。但是我无法将角色分配给ec2实例。在寻找问题时,我发现在AWS Console中,该角色没有“实例配置文件ARN”。知道我想念什么吗?
const ec2SsmS3Role = new Role(this, 'Ec2SessionManagerS3Role', {
assumedBy: new ServicePrincipal('ec2.amazonaws.com'),
managedPolicies: [
ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore'),
ManagedPolicy.fromAwsManagedPolicyName('AmazonS3FullAccess')
]
});