微信公众号搜"智元新知"关注
微信扫一扫可直接关注哦!

从 SAM 中的模板创建 IAM 角色

分类:编程问答

如何解决从 SAM 中的模板创建 IAM 角色

我正在尝试将 IAM 角色添加到允许从外部源(雪花)对存储桶进行特定访问的现有模板

RoleNameForAccess:
    Type: AWS::IAM::Role
    Properties: 
      RoleName: RoleNameForAccess
      Description: A role that allows sNowflake to access the bucket
      Policies: 
        - PolicyName: 'SNowflakePolicyRole'
        - PolicyDocument:
          - Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Action: 
                - s3:PutObject
                - s3:Getobject
                - s3:GetobjectVersion
                - s3:DeleteObject
                - s3:DeleteObjectVersion
              Resource: arn:aws:s3:::bucket-name/*
            - Effect: Allow
              Action: s3:ListBucket
              Resource: arn:aws:s3:::bucket-name
              Condition:
                StringLike:
                  s3:prefix:
                  - "*"

但它不断抛出错误

Property PolicyDocument cannot be empty.

如果我在 Policy 文档中使用破折号,我会收到此错误

Value of property PolicyDocument must be an object

也许我遗漏了一些语法但找不到它是什么。

谢谢

解决方法

你有一个很小的错误。您可以拥有多个策略,因此 Policies 是一个数组。

RoleNameForAccess:
    Type: AWS::IAM::Role
    Properties: 
      RoleName: RoleNameForAccess
      Description: A role that allows snowflake to access the bucket
      Policies: 
        - PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: 
                  - s3:PutObject
                  - s3:GetObject
                  - s3:GetObjectVersion
                  - s3:DeleteObject
                  - s3:DeleteObjectVersion
                Resource: arn:aws:s3:::bucket-name/*
              - Effect: Allow
                Action: s3:ListBucket
                Resource: arn:aws:s3:::bucket-name
                Condition:
                  StringLike:
                    s3:prefix:
                    - "*"
,

PolicyNameAssumeRolePolicyDocument 丢失。根据用户指南 here 更新。您可以根据您的要求在以下更新的 Principal 部分更改 AssumeRolePolicyDocument

  RoleNameForAccess:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - arn:aws:iam::111111111111:user/testuser
            Action:
              - 'sts:AssumeRole'
      RoleName: RoleNameForAccess
      Description: A role that allows snowflake to access the bucket
      Policies: 
        - PolicyName: SnowflakePolicyRole
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: 
                  - s3:PutObject
                  - s3:GetObject
                  - s3:GetObjectVersion
                  - s3:DeleteObject
                  - s3:DeleteObjectVersion
                Resource: arn:aws:s3:::bucket-name/*
              - Effect: Allow
                Action: s3:ListBucket
                Resource: arn:aws:s3:::bucket-name
                Condition:
                  StringLike:
                    s3:prefix:
                    - "*"

版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。

苹果市值2025年有望达4万亿美元
pythonJavaScriptjavaHTMLPHPreactjsC#AndroidCSSNode.jssqlrpython-3.xMysqLjQueryc++pandasFlutterangularIOSdjangolinuxswifttypescript路由器JSON路由器设置无线路由器h3c华三华三路由器设置华三路由器电脑软件教程arraysdocker软件图文教程Cvue.jslaravelspring-boot