我正在尝试在cloudformation(yaml)中的角色和用户之间定义信任关系策略文档。
为了在角色中指定用户的ARN AssumeRolePolicyDocument,我想从实际的cloudformation资源中引用ARN,而不必构造ARN字符串。
但是,它不起作用。使用时!Ref rUser,在创建cloudformation堆栈“策略中的无效主体”时出现错误。
当我仅将ARN字符串粘贴为值时,它就可以工作。是否因为!Ref rUser返回用户对象类型而不求值成字符串?如果是这样,如何从资源中引用ARN?
码:
rUser:
Type: "AWS::IAM::User"
Properties:
UserName: "my_user"
rRole:
DependsOn: rRole
Type: "AWS::IAM::Role"
Properties:
RoleName: "my_role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
AWS:
# this does not work, gives error "Invalid Principal in policy"
- !Ref rUser
# this does work (just hard coding the ARN string):
# - "arn:aws:iam::111111111111:user/my_user"
Action:
- "sts:AssumeRole"
刚弄清楚...使用GetAtt函数非常简单:
rRole:
DependsOn: rRole
Type: "AWS::IAM::Role"
Properties:
RoleName: "my_role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
AWS:
- !GetAtt rExternalUser.Arn # use the GetAtt function
Action:
- "sts:AssumeRole"
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句