我正在尝试将 IAM 角色添加到现有模板,以允许从外部源(雪花)对存储桶进行某些访问
RoleNameForAccess:
Type: AWS::IAM::Role
Properties:
RoleName: RoleNameForAccess
Description: A role that allows snowflake to access the bucket
Policies:
- PolicyName: 'SnowflakePolicyRole'
- PolicyDocument:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject
- s3:GetObject
- s3:GetObjectVersion
- s3:DeleteObject
- s3:DeleteObjectVersion
Resource: arn:aws:s3:::bucket-name/*
- Effect: Allow
Action: s3:ListBucket
Resource: arn:aws:s3:::bucket-name
Condition:
StringLike:
s3:prefix:
- "*"
但它不断抛出错误:
属性策略文档不能为空。
如果我在策略文档中使用破折号,则会收到此错误:
PolicyDocument 属性的值必须是一个对象
也许我缺少一些语法,但找不到它是什么。
谢谢
最佳答案
缺少
PolicyName 和 AssumeRolePolicyDocument。根据用户指南更新here 。您可以根据您的要求在以下更新的 AssumeRolePolicyDocument 部分中更改 Principal。
RoleNameForAccess:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS:
- arn:aws:iam::111111111111:user/testuser
Action:
- 'sts:AssumeRole'
RoleName: RoleNameForAccess
Description: A role that allows snowflake to access the bucket
Policies:
- PolicyName: SnowflakePolicyRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject
- s3:GetObject
- s3:GetObjectVersion
- s3:DeleteObject
- s3:DeleteObjectVersion
Resource: arn:aws:s3:::bucket-name/*
- Effect: Allow
Action: s3:ListBucket
Resource: arn:aws:s3:::bucket-name
Condition:
StringLike:
s3:prefix:
- "*"
关于amazon-s3 - 从 SAM 中的模板创建 IAM 角色,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/68069050/