这是我当前使用的角色,是通过 IAM 控制台创建的。
然后,我尝试使用 cloudformation 引用下面的教程创建具有相同权限的另一个角色。
https://blog.petej.org/2020/01/04/infrastructure-as-code-with-aws-lambda-and-api-gateway/
但是,创建角色后,我发现所有策略都是内联策略。
与我目前的角色在权限方面有什么区别吗?
我使用 Role.json 作为堆栈的模板。
角色.json
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"LambdaRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "hello-world-Admin",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["lambda.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
"Path": "/",
"Policies": [{
"PolicyName": "AWSLambdaBasicExecutionRole",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}]
}
},
{
"PolicyName": "AmazonS3GetObject",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::pj-lambda-functions/",
"arn:aws:s3:::pj-lambda-functions/*"
]
}]
}
},
{
"PolicyName": "AmazonS3FullAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}]
}
},
{
"PolicyName": "AmazonDynamoDBFullAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:*",
"dax:*",
"application-autoscaling:DeleteScalingPolicy",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:RegisterScalableTarget",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricAlarm",
"datapipeline:ActivatePipeline",
"datapipeline:CreatePipeline",
"datapipeline:DeletePipeline",
"datapipeline:DescribeObjects",
"datapipeline:DescribePipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:ListPipelines",
"datapipeline:PutPipelineDefinition",
"datapipeline:QueryObjects",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"iam:GetRole",
"iam:ListRoles",
"kms:DescribeKey",
"kms:ListAliases",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:SetTopicAttributes",
"lambda:CreateFunction",
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:CreateEventSourceMapping",
"lambda:DeleteEventSourceMapping",
"lambda:GetFunctionConfiguration",
"lambda:DeleteFunction",
"resource-groups:ListGroups",
"resource-groups:ListGroupResources",
"resource-groups:GetGroup",
"resource-groups:GetGroupQuery",
"resource-groups:DeleteGroup",
"resource-groups:CreateGroup",
"tag:GetResources"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "cloudwatch:GetInsightRuleReport",
"Effect": "Allow",
"Resource": "arn:aws:cloudwatch:*:*:insight-rule/DynamoDBContributorInsights*"
},
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:PassedToService": [
"application-autoscaling.amazonaws.com",
"dax.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"replication.dynamodb.amazonaws.com",
"dax.amazonaws.com",
"dynamodb.application-autoscaling.amazonaws.com",
"contributorinsights.dynamodb.amazonaws.com"
]
}
}
}
]
}
},
{
"PolicyName" : "CognitoUserPoolsManagement",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "cognito-idp:ListUsers",
"Resource": "*"
}
]
}
},
{
"PolicyName" : "DynamoDBWriteAccess",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:UpdateItem"
],
"Resource": "arn:aws:dynamodb:us-east-1:063575524122:table/test_users"
}
]
}
},
{
"PolicyName" : "hello-world-s3-policy",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::kwai-tsing-dev/*"
}
]
}
}
]
}
},
"ApiGatewayRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "kwai-tsing-api-for-lambda",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["apigateway.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
"Policies": [{
"PolicyName": "AWSApiGateWay",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "*"
}]
}
},
{
"PolicyName": "ApiGatewayFullAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": "*"
}]
}
}
]
}
},
"MyRestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Body": {
"OpenAPI specification": null
},
"Description": "A test API",
"Name": "MyRestAPI"
}
}
}
}
另一方面,我想问以下问题,因为我是 aws cloudformation 的初学者。
1.通过 CLI 或直接在 cloudformation 控制台中创建堆栈来管理堆栈最流行的选项是什么?
2.如何决定模板的内容,例如,如果我同时使用api gateway、lambda和dynamodb,我应该创建3个单独的模板文件,还是一个文件包含所有模板?
最佳答案
如果您不想使用内联策略,则必须创建 AWS::IAM::ManagedPolicy首先,然后在 ManagedPolicyArns 中您的角色中引用它.
Does it has any difference with my current role in terms of permission?
不,没有。托管策略的好处是您可以创建一个管理策略并在多个角色、用户或组中引用它。然而,内联策略总是必须重复,这使得管理变得更加困难。
1.what is the most popular option to manage the stack, by CLI or creating the stack in cloudformation console directly?
取决于您的用例。没有一个正确的答案可以适应所有可能的情况。但如果您想完全采用 IaC,则应避免控制台部署,并且应将所有内容作为代码置于源代码控制之下,包括部署过程/脚本。
How to decide the contents of the template, for example, if I use api gateway,lambda and dynamodb together, should I create 3 separate template files, or a single files contain all of them?
同样,这取决于情况。如果它们是同一应用程序的一部分,我会将它们保留在一个模板中。与一次部署一样,您创建整个应用程序堆栈,当您拆除它时也是如此。但如果它们彼此完全无关,我会将它们分开,这为您的修改提供了更多的空间和自由。
关于amazon-web-services - aws cloudformation - 权限控制/例程,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/64554899/