amazon-cloudformation - 如何获取 AWS KMS Key Arn 并通过 CloudFormation 在 IAM 角色内联策略中传递它？

问题描述

我正在尝试通过 CloudFormation 模板创建 IAM 角色和 KMS 密钥。我的要求是首先我需要创建 KMS 密钥，获取它的 ARN，然后在创建 IAM 角色时，传递该 KMS ARN。这是我的政策的样子：

Resources:
  myKey:
    Type: AWS::KMS::Key
    Properties:
      Description: Key for encrypting S3 Buckets
      Enabled: TRUE
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: arn:aws:iam::11111111:root
            Action: kms:*
            Resource: '*'
      KeyUsage:  ENCRYPT_DECRYPT
  myAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: alias/key_for_s3_encrytpion
      TargetKeyId:
        Ref: myKey
  RootRole:
      Type: 'AWS::IAM::Role'
      Properties:
        RoleName: 'Lambda-S3-SNS-VPC-Role-cft'
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - lambda.amazonaws.com
              Action:
                - 'sts:AssumeRole'
        Path: /
        ManagedPolicyArns:
          - !Ref AmazonVPCFullAccessARN
          - !Ref AmazonS3FullAccessARN
          - !Ref AWSLambdaBasicExecutionRoleARN
          - !Ref AmazonSNSFullAccessARN
          - !Ref AmazonSSMFullAccessARN
        Policies:
          - PolicyName: kms_cross_account
            PolicyDocument:
              Version: 2012-10-17
              Statement:
                - Effect: Allow
                  Action:
                    - "kms:Decrypt"
                    - "kms:Encrypt"
                    - "kms:GenerateDataKey"
                    - "kms:DescribeKey"
                    - "kms:ReEncrypt*"
                  Resource:
                    - <Here I need to pass KMS Key ARN created above>

我尝试将 !Sub 放在资源中：

- !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/key_for_s3_encrytpion'

但它直接将整个作为一个字符串

标签： amazon-cloudformationamazon-iamaws-kms