amazon-web-services - 向 KMS 资源上的无服务器“KeyPolicy”添加语句

问题描述

我有一个无服务器应用程序，它创建了一个 KMS 资源：

# serverless.yml 1
resources:
  Resources:
    SomeLambdaRole:
      Type: AWS::IAM::Role
    AnotherLambdaRole:
      Type: AWS::IAM::Role
    TheKey:
      Type: AWS::KMS::Key
      DeletionPolicy: Retain
      Properties:
        Description: The key
        Enabled: true
        KeyPolicy:
          Version: '2012-10-17'
          Statement:
            - Sid: Allow use of the key
              Effect: Allow
              Principal:
                AWS:
                  - Fn::GetAtt: [SomeLambdaRole, Arn]
                  - Fn::GetAtt: [AnotherLambdaRole, Arn]
              Action:
                - 'kms:Encrypt'
                - 'kms:Decrypt'
                - 'kms:ReEncrypt'
                - 'kms:GenerateDataKey*'
              Resource: '*'

从另一个创建了一些角色的无服务器应用程序中，我想为这些新角色提供与“TheKey”资源相同SomeLambdaRole的AnotherLambdaRole权限

# serverless.yml 2
resources:
  Resources:
    YetAnotherLambdaRole:
      Type: AWS::IAM::Role
# Do something to let this role have the same permission as "SomeLambdaRole" and "AnotherLambdaRole" for the "TheKey" Resource

这是可能的还是我应该尝试另一种方法？

标签： amazon-web-servicesserverless-frameworkaws-serverless