我正在尝试探索是否有更好的方法。我只是使用策略生成器定义 IAM 策略,然后使用以下内容 --
const policyDocument = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FirstStatement",
"Effect": "Allow",
"Action": ["iam:ChangePassword"],
"Resource": "*"
},
{
"Sid": "SecondStatement",
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::confidential-data",
"arn:aws:s3:::confidential-data/*"
],
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
}
]
};
那么下面需要定义--
const customPolicyDocument = iam.PolicyDocument.fromJson(policyDocument);
const newManagedPolicy = new ManagedPolicy(stack, 'MyNewManagedPolicy', {
document: customPolicyDocument
});
const newPolicy = new Policy(stack, 'MyNewPolicy', {
document: customPolicyDocument
});
最后,我创建了一个角色并附加了策略 -
const TestBucketRole = new iam.Role(this, 'TestBucketRole', {
assumedBy: new iam.ArnPrincipal('arn:aws:iam::123456789012:user/user1'),
roleName: "test-role-cdk"
})
TestBucketRole.attachInlinePolicy(newPolicy);
有没有更好的方法来做到这一点?
答案 0 :(得分:4)
您可以使用 CDK 构造来 iam.PolicyDocument 和 iam.PolicyStatement 来实现相同的目的:
import * as iam from "@aws-cdk/aws-iam";
let policy = new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ["iam:ChangePassword"],
resources: ["*"],
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ["iam:ChangePassword"],
resources: ["*"],
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ["s3:List*", "s3:Get*"],
resources: [
"arn:aws:s3:::confidential-data",
"arn:aws:s3:::confidential-data/*",
],
conditions: {
Bool: { "aws:MultiFactorAuthPresent": "true" },
},
}),
],
});
我喜欢使用 CDK 构造而不是 JSON 的一点是 TypeScript 属性/类型检查和自动完成。
但最终,它们是可以互换的!