python - aws iam 角色从 CloudFormation 转移到 CDK
问题描述
我正在尝试将此 iam 角色从 CloudFormation 移动到 AWS CDK。我似乎在 Python 中找不到任何好的例子。条件是我目前卡住的地方。有没有人在 Python 中创建过类似的角色?
CognitoUnAuthorizedRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": !Ref IdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": unauthenticated
Policies:
- PolicyName: "CognitoAuthorizedPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "cognito-sync:*"
Resource: !Join [ "", [ "arn:aws:cognito-sync:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":identitypool/", !Ref IdentityPool] ]
- Effect: Allow
Action:
- iot:Connect
Resource: !Join [ "", [ "arn:aws:iot:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":client/theme*" ] ]
- Effect: Allow
Action:
- iot:Subscribe
Resource: "*"
- Effect: Allow
Action:
- iot:Receive
Resource: !Join [ "", [ "arn:aws:iot:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":topic/*" ] ]
解决方案
您应该搜索库中的方法,例如。
auth_role = aws_iam.Role(
self,
'ApiGwAuthRole',
assumed_by=aws_iam.ServicePrincipal("apigateway.amazonaws.com")
)
向资源添加策略
_sqs.add_to_resource_policy(
statement=aws_iam.PolicyStatement(
effect=aws_iam.Effect.ALLOW,
actions=['sqs:SendMessage'],
resources=[_sqs.queue_arn],
principals=[aws_iam.AnyPrincipal()],
conditions={
"ArnEquals": {"aws:SourceArn": _source.ref}
}
)
)
推荐阅读
- angular - 控制台中日期的返回格式与输入中的不同
- c# - 无法访问受密码保护的 Microsoft accdb 数据库 Microsoft.ACE.OLEDB.12.0
- javascript - 带有 JS 的返回顶部按钮
- c# - 基于全屏文本应用程序的 GUI
- c# - Dynamics Crm 创建新帐户 Selenium C#
- javascript - 在 React 的分页上添加活动类的问题
- spring - springboot项目如何在查询中提供参数
- c# - 发送大量邮件时 SmtpClient.SendMailAsync 方法挂起
- svg - 从 Illustrator CC 导出到 SVG 后,Live Type 字体不会出现
- sas - 迄今为止的 SAS 文本