我有一个 CloudFormation 堆栈,其中包括 EC2 实例、IAM 角色和一个自动缩放组。这是在目标 ALB 中执行负载测试的瞬态堆栈。测试完成后(时间有限),将发送结果并移除此堆栈。
现在我使用我的凭据从我的计算机创建堆栈,尽管我的最终目的是在 CodePipeline 步骤中实现自动化。
我试图使用 CLI 使堆栈调用他自己的删除:
aws cloudformation delete-stack --stack-name ${AWS::StackName} --region ${AWS::Region}
运行此命令的 EC2 实例(此堆栈的一部分)具有以下角色:
WorkerNodeRole:
Type: AWS::IAM::Role
Properties:
RoleName: LoadTestNodeRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
- cloudformation.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: LoadTestNodeRolePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Resource: '*'
Action: iam:PassRole
- Effect: Allow
Resource: !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*
Action:
- cloudformation:DeleteStack
我希望这足以删除堆栈,但它抱怨删除堆栈中单个元素的权限。例如:
API: autoscaling:DescribeAutoScalingGroup User: arn:aws:sts::(account):assumed-role/LoadtestNodeRole/(instance) is not authorized to perform: autoscaling:DescribeAutoScalingGroups
如何授予角色权限以在特定堆栈上执行 cloudformation:DeleteStack 以删除包含的所有内容?
例如,由于上述原因,此堆栈无法删除自身:
Description: Autodelete test
Resources:
WorkerNodeRole:
Type: AWS::IAM::Role
Properties:
RoleName: NodeRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
- cloudformation.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: NodeRolePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Resource: '*'
Action: iam:PassRole
- Effect: Allow
Resource: !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*
Action:
- cloudformation:DeleteStack
WorkerNodeInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- !Ref WorkerNodeRole
MasterNode:
Type: AWS::EC2::Instance
Properties:
IamInstanceProfile: !Ref WorkerNodeInstanceProfile
ImageId: ami-0be2609ba883822ec
InstanceType: t2.small
UserData:
Fn::Base64:
!Sub
|
#!/bin/bash
aws cloudformation delete-stack --stack-name ${AWS::StackName} --region ${AWS::Region}
答案 0 :(得分:2)
总而言之:要使您的调用删除堆栈调用工作,您需要修改堆栈中所有资源(ASG、EC2、IAM + Cloudformation)的策略,在您的情况下是您的 ec2 实例角色。
错误说明:
要删除堆栈,您需要以下权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "cloudformation:DeleteStack",
"Resource": "arn:aws:cloudformation:eu-central-1:1234567890:stack/case-test3-stack/53a723c0-f413-11ea-8958"
}
]
}
我有一个 CloudFormation 堆栈,其中包括 EC2 实例、IAM 角色和一个自动缩放组。
所以一切都在一个堆栈中,当您尝试删除堆栈时,Cloudformation 从上到下按顺序进行,除非在堆栈中的所有内容的定义中添加了一些依赖子句以进行删除。
您不能使用 delete-stack
有选择地删除资源另外,调用删除的实例只有 cloudformation 堆栈的删除权限,但您的 cloudformation 堆栈还有 ASG 和其他资源。所以它失败了。
就像我创建了这个堆栈
$ cat minimal-cfn.yml
Resources:
Bucket:
Type: 'AWS::S3::Bucket'
BucketName:
Type: AWS::SSM::Parameter
Properties:
Description: !Sub 'S3 Bucket from stack ${AWS::StackName}'
Name: '/s3bucket/main/bucket-name'
Type: String
Value: !Ref Bucket
而且我的角色只有我上面在策略中提到的删除堆栈的权限,现在我尝试删除堆栈,但出现错误
$ aws cloudformation delete-stack --stack-name adsadasdasdas
User: arn:aws:sts::1234567890:assumed-role/testrole1/s3-access-example is
not authorized to perform: ssm:DeleteParameter on resource: arn:aws:ssm:eu-central-1:1234567890:parameter/s3bucket/main/bucket-name
(Service: AmazonSSM; Status Code: 400; Error Code: AccessDeniedException; Request ID: 785ba9ad-e1b4-4d4b-aef4-5bea51481a87; Proxy: null)
因为角色没有删除栈内资源的权限。