无法使用python在AWS CDK中写入策略文档 [英] Unable to write policy document in aws cdk using python
本文介绍了无法使用python在AWS CDK中写入策略文档的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在研究AWS CDK。我正在尝试制定政策。下面是我的代码。
Hi I am working on AWS CDK. I am trying to create policy. Below is my code.
MWSECSServiceRole = iam.Role(self, 'MWSECSServiceRole',
assumed_by=iam.ServicePrincipal('ecs.amazonaws.com'))
MWSECSServiceRole.add_to_policy(iam.PolicyStatement(
effect=iam.Effect.ALLOW,
resources=["arn:aws:elasticloadbalancing:*:{AccountId}:loadbalancer/app/mws-*","arn:aws:elasticloadbalancing:*:{AccountId}:listener-rule/app/mws-*","arn:aws:elasticloadbalancing:*:{AccountId}:listener/app/mws-*","arn:aws:elasticloadbalancing:*:{AccountId}:targetgroup/mws-*"],
actions=["elasticloadbalancing:DeregisterInstancesFromLoadBalancer","elasticloadbalancing:DeregisterTargets","elasticloadbalancing:RegisterInstancesWithLoadBalancer","elasticloadbalancing:RegisterTargets"]
))
MWSECSServiceRole.add_to_policy(iam.PolicyStatement(
effect=iam.Effect.ALLOW,
resources=["*"],
actions=["ec2:AuthorizeSecurityGroupIngress","ec2:Describe*","elasticloadbalancing:Describe*"]
))
这将生成下面的云形成模板。
Which will generate below cloud formation template.
MWSECSServiceRoleDefaultPolicyD5E258B0:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- elasticloadbalancing:DeregisterInstancesFromLoadBalancer
- elasticloadbalancing:DeregisterTargets
- elasticloadbalancing:RegisterInstancesWithLoadBalancer
- elasticloadbalancing:RegisterTargets
Effect: Allow
Resource:
- arn:aws:elasticloadbalancing:*:{AccountId}:loadbalancer/app/mws-*
- arn:aws:elasticloadbalancing:*:{AccountId}:listener-rule/app/mws-*
- arn:aws:elasticloadbalancing:*:{AccountId}:listener/app/mws-*
- arn:aws:elasticloadbalancing:*:{AccountId}:targetgroup/mws-*
- Action:
- ec2:AuthorizeSecurityGroupIngress
- ec2:Describe*
- elasticloadbalancing:Describe*
Effect: Allow
Resource: "*"
Version: "2012-10-17"
PolicyName: MWSECSServiceRoleDefaultPolicyD5E258B0
Roles:
- Ref: MWSECSServiceRole966AC1F9
Metadata:
aws:cdk:path: LocationCdkStack-cdkstack/MWSECSServiceRole/DefaultPolicy/Resource
当我尝试部署时它抛出以下错误。
When I try to deploy It throws below error.
The policy failed legacy parsing (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: e54462f7-f0bc-4a8c-9ec4-9530125113ec)
有人可以帮助我识别此问题吗?任何帮助,将不胜感激。谢谢
Can someone help me to identify this issue? Any help would be appreciated. Thanks
推荐答案
我建议您使用 Stack.format_arn
:
I suggest you build your ARN using Stack.format_arn
:
my_resource = core.Stack.of(self).format_arn(
service="elasticloadbalancing",
resource="loadbalancer",
resource_name="app/mws-*"
)
另请参见 ARN操作。
或者,您可以连接字符串并使用 core.Stack.of(self) .account
:
Alternatively you can concatenate string and use core.Stack.of(self).account
:
my_resource = "arn:aws:elasticloadbalancing:*:" + core.Stack.of(self).account + ":loadbalancer/app/mws-*"
这篇关于无法使用python在AWS CDK中写入策略文档的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文