我正在尝试通过 cloudformation 为现有 IAM 用户作为主体和现有 dynamodb 表创建 IAM 角色。我已经通过 yamlint 进行了验证,并且 yaml 格式正确,但 cloudformation 提示文件格式错误。
以下是我的cloudformation模板:
AWSTemplateFormatVersion: 2010-09-09
Parameters:
vTableName:
Type: String
Description: the tablename
Default: arn:aws:dynamodb:ap-southeast-2:1234567:table/test-table
vUserName:
Type: String
Description: New account username
Default: mytestuser
Resources:
DynamoRoleForTest:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS:
- !Sub 'arn:aws:iam::${AWS::AccountId}:user/${vUserName}'
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: DynamoPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
- Action:
- dynamodb:BatchGet*
- dynamodb:DescribeStream
- dynamodb:DescribeTable
- dynamodb:Get*
- dynamodb:Query
- dynamodb:Scan
Resource: !Ref vTableName
以下是我尝试创建此模板时收到的错误:
策略中存在语法错误。 (服务:AmazonIdentityManagement;状态代码:400;错误代码:MalformedPolicyDocument;请求 ID:237dd218-a2a2-4194-9063-104f8022cb80)
感谢您的建议。
最佳答案
您的操作中存在不需要的-:
- Action:
因此,您的模板应该是(删除 -):
AWSTemplateFormatVersion: 2010-09-09
Parameters:
vTableName:
Type: String
Description: the tablename
Default: arn:aws:dynamodb:ap-southeast-2:1234567:table/test-table
vUserName:
Type: String
Description: New account username
Default: mytestuser
Resources:
DynamoRoleForTest:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS:
- !Sub 'arn:aws:iam::${AWS::AccountId}:user/${vUserName}'
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: DynamoPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- dynamodb:BatchGet*
- dynamodb:DescribeStream
- dynamodb:DescribeTable
- dynamodb:Get*
- dynamodb:Query
- dynamodb:Scan
Resource: !Ref vTableName
原理很好,假设它存在。
关于amazon-web-services - 通过 CloudFormation 的 IAM 角色原则错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/63464899/