amazon-cloudformation - 如何获取 AWS KMS Key Arn 并通过 CloudFormation 在 IAM 角色内联策略中传递它?
问题描述
我正在尝试通过 CloudFormation 模板创建 IAM 角色和 KMS 密钥。我的要求是首先我需要创建 KMS 密钥,获取它的 ARN,然后在创建 IAM 角色时,传递该 KMS ARN。这是我的政策的样子:
Resources:
myKey:
Type: AWS::KMS::Key
Properties:
Description: Key for encrypting S3 Buckets
Enabled: TRUE
KeyPolicy:
Version: '2012-10-17'
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::11111111:root
Action: kms:*
Resource: '*'
KeyUsage: ENCRYPT_DECRYPT
myAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/key_for_s3_encrytpion
TargetKeyId:
Ref: myKey
RootRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: 'Lambda-S3-SNS-VPC-Role-cft'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- !Ref AmazonVPCFullAccessARN
- !Ref AmazonS3FullAccessARN
- !Ref AWSLambdaBasicExecutionRoleARN
- !Ref AmazonSNSFullAccessARN
- !Ref AmazonSSMFullAccessARN
Policies:
- PolicyName: kms_cross_account
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- "kms:Decrypt"
- "kms:Encrypt"
- "kms:GenerateDataKey"
- "kms:DescribeKey"
- "kms:ReEncrypt*"
Resource:
- <Here I need to pass KMS Key ARN created above>
我尝试将 !Sub 放在资源中:
- !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/key_for_s3_encrytpion'
但它直接将整个作为一个字符串
解决方案
解决了。我曾经!GetAtt myKey.Arn
在 iAM 角色中获得 KMS ARN
推荐阅读
- apache-nifi - 如何用 NULL 替换从 ExecuteSQL 中提取的 NIFI 属性值
- python - 无法在 tkinter 中对齐三个文本小部件
- firebase - Firebase Web 性能分布图上的百分比值
- swift - Google Maps API didDrag、didBeginDragging、didEndDragging 函数不起作用
- sql - SQL获取由一列不同的行,但在按第三列排序的另一列上也不同
- python-3.x - 创建具有多个 x 轴的连续子图
- python - Python非常规排序算法
- javascript - 如果在外面点击,如何自动关闭手风琴
- python - 如何在beautifulsoup中检查已经抓取的URL
- python - Is it possible to run Google Cloud Platform NLP-API entity sentiment analysis in a batch processing mode for a large number of documents?