我正在创建一个 IAM 角色,以便将日志从一个堆栈发送到另一个堆栈中的 kinesis 流。 当我添加权限策略时,它失败并出现错误:
"Value of property PolicyDocument must be an object".
这是我的cloudformation.template.yml:
KinesisRole:
Type: AWS::IAM::Role
Properties:
RoleName: {'Fn::Sub': 'Kinesis-Role-${AWS::Region}'}
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [logs.amazonaws.com]
Action: ['sts:AssumeRole']
Policies:
- PolicyName: KinesisPolicy
PolicyDocument:
- Version: '2017-10-17'
Statement:
- Action: ['kinesis:PutRecord']
Effect: Allow
Resource: '*'
最佳答案
由于 Version
前面有 -
,因此您当前的 PolicyDocument
是一个对象列表。另外您的版本
也是错误的。所以应该是:
KinesisRole:
Type: AWS::IAM::Role
Properties:
RoleName: {'Fn::Sub': 'Kinesis-Role-${AWS::Region}'}
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [logs.amazonaws.com]
Action: ['sts:AssumeRole']
Policies:
- PolicyName: KinesisPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action: ['kinesis:PutRecord']
Effect: Allow
Resource: '*'
关于amazon-web-services - 创建 IAM 角色时出错 - 属性 PolicyDocument 的值必须是对象,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/66256445/