Cloudformation模板为SQS创建角色 [英] Cloudformation template to create a role for SQS

查看:109
本文介绍了Cloudformation模板为SQS创建角色的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试使用cloudformation模板创建具有嵌入式策略的角色:

I am trying to create a role with embedded policy using cloudformation template : 

{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
  "SQSRole": {
     "Type": "AWS::IAM::Role",
     "Properties": {
        "AssumeRolePolicyDocument": {
           "Version" : "2012-10-17",
           "Statement": [ {
              "Effect": "Allow",
              "Principal": {
                 "Service": [ "sqs.amazonaws.com" ]
              },
              "Action": [
                    "SQS:SendMessage",
                    "SQS:ReceiveMessage",
                    "SQS:DeleteMessage",
                    "SQS:GetQueueUrl"
                ]
           } ]
        },
        "Path": "/"
        }
  },
  "RootInstanceProfile": {
     "Type": "AWS::IAM::InstanceProfile",
     "Properties": {
        "Path": "/",
        "Roles": [ {
           "Ref": "SQSRole"
        } ]
     }
  }
}
}

它给出错误策略中的主体无效: SERVICE: sqs.amazonaws.com。

It gives an error " Invalid principal in policy: "SERVICE":"sqs.amazonaws.com".

我也尝试通过替换SQS队列的确切URL: SERVICE: sqs.ap-south-1.amazonaws.com/710161973367/CFI-Trace

I also tried by replacing exact URL of SQS queue : "SERVICE":"sqs.ap-south-1.amazonaws.com/710161973367/CFI-Trace"

仍然给出相同的错误。不确定要为sqs指定什么服务。

Still it gives same error. Not sure what service to specify for sqs.

推荐答案

如果要创建由EC2承担的IAM角色例如,您应该改用以下示例:

If you're trying to create an IAM role to be assumed by an EC2 instance, you should use this instead:

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "SQSRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "ec2.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/",
        "Policies": [
          {
            "PolicyName": "SqsAccess",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Sid": "1",
                  "Effect": "Allow",
                  "Action": [
                    "SQS:SendMessage",
                    "SQS:ReceiveMessage",
                    "SQS:DeleteMessage",
                    "SQS:GetQueueUrl"
                  ],
                  "Resource": [
                    "*"
                  ]
                }
              ]
            }
          }
        ]
      }
    },
    "RootInstanceProfile": {
      "Type": "AWS::IAM::InstanceProfile",
      "Properties": {
        "Path": "/",
        "Roles": [
          {
            "Ref": "SQSRole"
          }
        ]
      }
    }
  }
}

请注意,该服务将假定您的IAM角色现在是 ec2.amazonaws.com 。此外,现在仅允许EC2服务承担您的IAM角色(通过 sts:AssumeRole )。最后,您所有的 sqs:* 操作已移至IAM角色的策略属性。

Note that the service that will assume your IAM role is now ec2.amazonaws.com. Also, the EC2 service is now only allowed to assume your IAM role (via sts:AssumeRole). Finally, all your sqs:* Actions have been moved into the IAM Role's Policies attribute.

这篇关于Cloudformation模板为SQS创建角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆