amazon-web-services - 计划创建一个需要 3 个角色的 CFT,其中包含托管策略和附加的内联策略
问题描述
我正在尝试创建一个 CFT,它具有 1. 3 个具有托管策略的不同角色 2. 应添加到在 CFT 中创建的三个角色的内联策略。
但我不能这样做,因为这让我出错,说必须定义至少一个资源。
请帮助我实现这一目标。
{ "AWSTemplateFormatVersion": "2010-09-09", "资源": {
"EMRDefaultRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "EMR_DefaultRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "elasticmapreduce.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole"
]
}
},
"EMREC2DefaultRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "EMR_EC2_DefaultRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role"
]
}
},
"EMRAutoScalingDefaultRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "EMR_AutoScaling_DefaultRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": [ "elasticmapreduce.amazonaws.com",
"application-autoscaling.amazonaws.com"]
},
"Action": "sts:AssumeRole"
}]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole"
]
}
},
"EMRS3Policies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "Moodys-IAM-EMR-S3-Access-Policy",
"PolicyDocument": {
"Statement": [{
"Effect": "Allow",
"Action": [
"s3:HeadBucket",
"s3:GetObject"
],
"Resource": {
"Fn::Join": ["", ["arn:aws:s3:::mit-", {
"Ref": "AWS::AccountId"
}, "-emr-files/*"]]
}
}
]
},
"Roles": [{
"Ref": "EMRDefaultRole"},
{"Ref": "EMREC2DefaultRole"},
{"Ref": "EMRAutoScalingDefaultRole"
}]
}
}
}
}
就像我期望附加托管策略和内联策略的三个角色一样。
解决方案
您的角色陈述中缺少resource
属性。
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": [ "elasticmapreduce.amazonaws.com",
"application-autoscaling.amazonaws.com"]
},
"Action": "sts:AssumeRole"
}]
这应该是(它适用于所有语句)
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": [ "elasticmapreduce.amazonaws.com",
"application-autoscaling.amazonaws.com"]
},
"Action": "sts:AssumeRole",
"Resource": [
"arn-of-your-resource-or-wildcard"
]
}]
推荐阅读
- modbus - 可读保持寄存器中间的保持寄存器可以是“IllegalDataAddress”吗?
- swift - CFBundleAlternateIcons 的文档在哪里?
- android - 在 Android 应用程序中使用静态 Context 变量有什么缺点?
- mysql - MySQL 外部数据包装器:使用 SSH 参数进行 SSL 连接?
- git - git 错误:未能推送一些 refs refspec master 不匹配任何
- javascript - 是否值得动态加载JS文件,或者“延迟”就足够了
- php - Select2标签按功能设置值
- spring-boot - “META-INF/spring.provides”有什么用
- python - 字典中的python相似键
- c++ - 在 C++ 中生成字符串的排列