我已经以这种方式引导了CDK工具包堆栈
npx cdk bootstrap \
--trust 158******206 \
--toolkit-stack-name **** \
--qualifier ****\
--cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess \
因此,CDK工具包堆栈具有以下资源:
ContainerAssetsRepository
DeploymentActionRole
FileAssetsBucketEncryptionKey
FileAssetsBucketEncryptionKeyAlias
FilePublishingRole
FilePublishingRoleDefaultPolicy
ImagePublishingRole
ImagePublishingRoleDefaultPolicy
StagingBucket
StagingBucketPolicy
然后我尝试通过IAM用户部署CDK堆栈,它可以正常工作。我使用以下命令:
cdk deploy --require-approval never --toolkit-stack-name **** --profile user-1
如果我尝试通过STS进行部署,则会收到此错误
Error: Could not assume role in target account (did you bootstrap the environment with the right '--trust's?): User: arn:aws:sts::448*****770:assumed-role/cdktoolkit-test-role/91cb8d5a-57e9-4d73-9f66-ddc630b637f2 is not authorized to perform: sts:TagSession on resource: arn:aws:iam::448*****770:role/cdk-event-proc-deploy-role-448******770-us-east-1
我的iam-sts-config.yml
---
aws_iam:
- type: sts-access-keys
version: V2
config:
iam_assume_role_name: cdktoolkit-test-role
然后我添加
AWS_ACCESS_KEY_ID=***
AWS_SECRET_ACCESS_KEY=***
AWS_SESSION_TOKEN=***
AWS_DEFAULT_REGION=***
我对cdk-event-proc-deploy-role角色有信任关系策略:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::448******770:root"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::158*****206:root"
},
"Action": "sts:AssumeRole"
}
]
}
如果我手动编辑并添加“操作”:“ sts:TagSession” 以信任关系策略。我可以部署我的堆栈。
所以,我的问题是,当我为角色引导CDK工具包堆栈时,是否可以设置自定义信任关系策略?
我只找到了此参数-trust ,但是仅添加了一个新的主体,我可以添加其他操作吗?