如何解决定义 IAM 策略以引用另一个文件中的参数
我想将策略部署为资源。
resource.yml
Resources:
MyGroupPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- iam:ChangePassword
- iam:CreateLoginProfile
- iam:DeleteLoginProfile
- iam:GetAccountPasswordPolicy
- iam:GetAccountSummary
- iam:GetLoginProfile
- iam:UpdateLoginProfile
Effect: Allow
Resource:
- Ref: Param1
- Ref: Param2
- Ref: Param3
params.json
[
{
"ParameterKey": "Param1","ParameterValue": "arn:aws:iam::7777777777:user/${aws:username}"
},{
"ParameterKey": "Param2","ParameterValue": "arn:aws:iam::7777777777:mfa/*"
},{
"ParameterKey": "Param3","ParameterValue": "arn:aws:iam::7777777:mfa/${aws:username}"
}
]
部署命令
aws cloudformation create-stack --stack-name stack --template-body file://resource.yml --parameters
file://params.json --capabilities CAPABILITY_NAMED_IAM
An error occurred (ValidationError) when calling the CreateStack operation: Parameter values specified
for a template which does not require them.
解决方法
您在 Parameters
模板中缺少 resource.yml
部分,您可以在其中定义堆栈在输入方面的预期。模板实际上应如下所示:
Parameters:
Param1:
Type: String
Param2:
Type: String
Param3:
Type: String
Resources:
MyGroupPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- iam:ChangePassword
- iam:CreateLoginProfile
- iam:DeleteLoginProfile
- iam:GetAccountPasswordPolicy
- iam:GetAccountSummary
- iam:GetLoginProfile
- iam:UpdateLoginProfile
Effect: Allow
Resource:
- Ref: Param1
- Ref: Param2
- Ref: Param3
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。