如何解决资源之间的 AWS Cloudformation 循环依赖
我正在尝试创建 sagemaker 角色,作为信任主体,我需要服务 sagemaker 以及该角色。问题是我收到以下错误:
调用 CreateChangeSet 操作时发生错误(ValidationError):资源之间的循环依赖:[SagemakerRole]
SagemakerRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: sagemaker-role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- sagemaker.amazonaws.com
Action: 'sts:AssumeRole'
- Effect: Allow
Principal:
AWS:
- !Ref SagemakerRole
Action: 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3FullAccess
- arn:aws:iam::aws:policy/AmazonSageMakerFullAccess
我需要以某种方式通过以下主体“arn:aws:iam::${AWS::AccountId}:role/sagemaker-role”
解决方法
我认为唯一的方法是在两个阶段中通过custom resource:
- 使用“正常”推力策略创建您的角色
- 使用自定义资源更新角色
以下是关于如何操作的完全工作示例代码:
Resources:
SagemakerRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: sagemaker-role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- sagemaker.amazonaws.com
Action: 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3FullAccess
- arn:aws:iam::aws:policy/AmazonSageMakerFullAccess
LambdaBasicExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Path: /
Policies:
- PolicyName: UpdateAssumePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- iam:UpdateAssumeRolePolicy
- iam:GetRole
Resource: !GetAtt SagemakerRole.Arn
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
MyCustomResource:
Type: Custom::RoleAssumesItself
Properties:
ServiceToken: !GetAtt MyCustomFunction.Arn
RoleName: !Ref SagemakerRole
MyCustomFunction:
Type: AWS::Lambda::Function
Properties:
Handler: index.lambda_handler
Timeout: 10
Role: !GetAtt 'LambdaBasicExecutionRole.Arn'
Runtime: python3.7
Code:
ZipFile: |
import json
import cfnresponse
import boto3
iam = boto3.resource('iam')
def lambda_handler(event,context):
print(json.dumps(event,default=str))
try:
responseData = {}
if event['RequestType'] in ["Create"]:
role_name = event['ResourceProperties']['RoleName']
role = iam.Role(role_name)
current_permissions = role.assume_role_policy_document
print(current_permissions)
current_permissions['Statement'].append(
{'Effect': 'Allow','Principal':
{'AWS': role.arn},'Action': 'sts:AssumeRole'
})
#print(current_permissions)
response = role.AssumeRolePolicy().update(
PolicyDocument=json.dumps(current_permissions))
print(response)
cfnresponse.send(event,context,cfnresponse.SUCCESS,responseData)
else:
print('Unexpected RequestType!')
cfnresponse.send(event,responseData)
except Exception as err:
print(str(err))
responseData = {"Data": str(err)}
cfnresponse.send(event,cfnresponse.FAILED,responseData)
return
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
