Cloudformation模板为SQS创建角色 [英] Cloudformation template to create a role for SQS
问题描述
我正在尝试使用cloudformation模板创建具有嵌入式策略的角色:
I am trying to create a role with embedded policy using cloudformation template :
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"SQSRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "sqs.amazonaws.com" ]
},
"Action": [
"SQS:SendMessage",
"SQS:ReceiveMessage",
"SQS:DeleteMessage",
"SQS:GetQueueUrl"
]
} ]
},
"Path": "/"
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ {
"Ref": "SQSRole"
} ]
}
}
}
}
它给出错误策略中的主体无效: SERVICE: sqs.amazonaws.com。
It gives an error " Invalid principal in policy: "SERVICE":"sqs.amazonaws.com".
我也尝试通过替换SQS队列的确切URL: SERVICE: sqs.ap-south-1.amazonaws.com/710161973367/CFI-Trace
I also tried by replacing exact URL of SQS queue : "SERVICE":"sqs.ap-south-1.amazonaws.com/710161973367/CFI-Trace"
仍然给出相同的错误。不确定要为sqs指定什么服务。
Still it gives same error. Not sure what service to specify for sqs.
推荐答案
如果要创建由EC2承担的IAM角色例如,您应该改用以下示例:
If you're trying to create an IAM role to be assumed by an EC2 instance, you should use this instead:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"SQSRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "SqsAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"SQS:SendMessage",
"SQS:ReceiveMessage",
"SQS:DeleteMessage",
"SQS:GetQueueUrl"
],
"Resource": [
"*"
]
}
]
}
}
]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "SQSRole"
}
]
}
}
}
}
请注意,该服务将假定您的IAM角色现在是 ec2.amazonaws.com
。此外,现在仅允许EC2服务承担您的IAM角色(通过 sts:AssumeRole
)。最后,您所有的 sqs:*
操作已移至IAM角色的策略
属性。
Note that the service that will assume your IAM role is now ec2.amazonaws.com
. Also, the EC2 service is now only allowed to assume your IAM role (via sts:AssumeRole
). Finally, all your sqs:*
Actions have been moved into the IAM Role's Policies
attribute.
这篇关于Cloudformation模板为SQS创建角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!