amazon-web-services - 云信息新角色/政策|格式错误的保单文件

标签 amazon-web-services yaml aws-cloudformation

我正在尝试使用 cloudformation 创建新角色和策略。

部署时出现以下错误:

策略中存在语法错误。 (服务:AmazonIdentityManagement;状态代码:400;错误代码:MalformedPolicyDocument;请求 ID:848a408e-b0f1-11e8-90b6-cf2a19d18ad2)

AWSTemplateFormatVersion: 2010-09-09
    Description: >
      AWS CloudFormation Template
    Parameters:
      StackName:
        Type: String
        Description: stack test
        Default: stackTest
      DclEnvironment:
        Type: String
        Description: Env
        AllowedValues :
          - test
          - dev
          - stage
          - prod
        Default: dev
      Domain:
        Type: String
        Description: Private Domain name
        Default: int.mydomain.com
      VpcId:
        Type: AWS::EC2::VPC::Id
        Default: xxxx
      AppAmiId:
        Type: AWS::EC2::Image::Id
        Description: Ec2 AMI ID
        Default: ami-XXXX
      KeyName:
        Type: AWS::EC2::KeyPair::KeyName
        Description: Key Name
        Default: xxxx
      SecurityGroupIds:
        Type: CommaDelimitedList
        Description: Comma-separated list of existing security group IDs in your VPC
        Default: sg-xxxx
      SubnetA:
        Description: Subnet from AZ a
        Type: String
        Default: subnet-xxxxx
      SubnetB:
        Description: Subnet from AZ b
        Type: String
        Default: subnet-xxxx
      SubnetC:
        Description: Subnet from AZ c
        Type: String
        Default: subnet-xxxx
      DbSubnetGroupA:
        Type: String
        Description: Subnet from AZ A
        Default: subnet-xxxx
      DbSubnetGroupB:
        Type: String
        Description: Subnet from AZ B
        Default: subnet-xxxxx
      DbSubnetGroupC:
        Type: String
        Description: Subnet from AZ C
        Default: subnet-xxxxx
    Resources:
      monitoringRole:
        Type: AWS::IAM::Role
        Properties:
          RoleName: !Join
          - "-"
          - - !Ref DclEnvironment
            - "iam-01"
          AssumeRolePolicyDocument:
            Version: "2012-10-17"
            Statement:
            - Effect: Allow
              Action: sts:AssumeRole
              Principal:
                Service:
                - ec2.amazonaws.com
          Path: "/"
      policyEC2Monitoring:
        Type: AWS::IAM::Policy
        Properties:
          PolicyName: !Join
          - "-"
          - - !Ref DclEnvironment
            - "policy-01"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
            - Effect: Allow
              Action:
              - ec2:Describe*
              Ressource: "*"
            - Effect: Allow
              Action:
              - elasticloadbalancing:Describe*
              Ressource: "*"
            - Effect: Allow
              Action:
              - cloudwatch:ListMetrics*
              - cloudwatch:GetMetricStatistics
              - cloudwatch:Describe*
              Ressource: "*"
            - Effect: Allow
              Action:
              - autoscaling:Describe*
              Ressource: "*"
          Roles:
          - !Ref monitoringRole
      instanceProfile:
        Type: AWS::IAM::InstanceProfile
        Properties:
          InstanceProfileName: !Join
          - "-"
          - - !Ref DclEnvironment
            - "inp-01"
          Path: "/"
          Roles:
          - !Ref monitoringRole

提前致谢,

Fas3r。

编辑

如果超过 1 个操作,资源应被 [ "*"] 包围; 如果一个 Action ,不需要添加新行,它可以是: Action : Action 名称

br.

最佳答案

正如错误所示,您的 yaml 语法无效。

您可以使用网络工具,如 http://www.yamllint.com/解决语法问题。

这是正确的语法 yaml 文件:

AWSTemplateFormatVersion: 2010-09-09
Description: >
  AWS CloudFormation Template
Parameters:
  StackName:
    Type: String
    Description: stack test
    Default: stackTest
  DclEnvironment:
    Type: String
    Description: Env
    AllowedValues :
      - test
      - dev
      - stage
      - sbox
      - prod
    Default: dev
  DclPod:
    Type: String
    Description: Pod Name
    Default: enel
  DclService:
    Type: String
    Description: Pod Name
    Default: monitoring
  Domain:
    Type: String
    Description: Private Domain name
    Default: int.mydomain.com
  VpcId:
    Type: AWS::EC2::VPC::Id
    Default: vpc-4ac3bb21
  AppAmiId:
    Type: AWS::EC2::Image::Id
    Description: Ec2 AMI ID
    Default: ami-XXXX
  KeyName:
    Type: AWS::EC2::KeyPair::KeyName
    Description: Key Name
    Default: c3-kp-01
  SecurityGroupIds:
    Type: CommaDelimitedList
    Description: Comma-separated list of existing security group IDs in your VPC
    Default: sg-07f5186b
  SubnetA:
    Description: Subnet from AZ a
    Type: String
    Default: subnet-7d576316
  SubnetB:
    Description: Subnet from AZ b
    Type: String
    Default: subnet-496a0834
  SubnetC:
    Description: Subnet from AZ c
    Type: String
    Default: subnet-7d576316
  DbSubnetGroupA:
    Type: String
    Description: Subnet from AZ A
    Default: subnet-1154607a
  DbSubnetGroupB:
    Type: String
    Description: Subnet from AZ B
    Default: subnet-3d650740
  DbSubnetGroupC:
    Type: String
    Description: Subnet from AZ C
    Default: subnet-4d027e00
Resources:
  monitoringRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Join
      - "-"
      - - !Ref DclEnvironment
        - !Ref DclPod
        - !Ref DclService
        - "iam-01"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Action: sts:AssumeRole
          Principal:
            Service:
            - ec2.amazonaws.com
      Path: "/"
  policyEC2Monitoring:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: !Join
      - "-"
      - - !Ref DclEnvironment
        - !Ref DclPod
        - !Ref DclService
        - "policy-01"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Action:
          - ec2:Describe*
          Ressource: "*"
        - Effect: Allow
          Action:
          - elasticloadbalancing:Describe*
          Ressource: "*"
        - Effect: Allow
          Action:
          - cloudwatch:ListMetrics*
          - cloudwatch:GetMetricStatistics
          - cloudwatch:Describe*
          Ressource: "*"
        - Effect: Allow
          Action:
          - autoscaling:Describe*
          Ressource: "*"
      Roles:
      - !Ref monitoringRole
  instanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      InstanceProfileName: !Join
      - "-"
      - - !Ref DclEnvironment
        - !Ref DclPod
        - !Ref DclService
        - "inp-01"
      Path: "/"
      Roles:
      - !Ref monitoringRole

希望有帮助。

关于amazon-web-services - 云信息新角色/政策|格式错误的保单文件,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/52182378/

上一篇:yaml - 将多个参数传递给 YAML CloudFormation 中的 DBParameterGroup

下一篇:amazon-web-services - 如何使用 cloudformation 模板为 Elastic Beanstalk 启用 CloudWatch

相关文章:

amazon-web-services - 嵌套cloudformation堆栈中的资源依赖问题

ios - 如何实现自定义 AWSCredentialsProvider

amazon-web-services - AWS EMR jupyter 密码

azure-devops - Azure DevOps - 使用参数在 yaml 管道定义中设置路径触发器

typescript - CDK - S3 通知导致循环引用错误

amazon-web-services - Terraform:允许 aws 安全组内的所有内部流量

java - 确定对象类型然后从 Snake yaml.load(InputStream) 转换对象的方法

go - 这个命令 'GOFLAGS=-mod=mod' 是做什么的?

amazon-web-services - CloudFormation 更新策略如何运作?

amazon-web-services - 如何更改 lambda 的默认参数值?

©2024 IT工具网  联系我们