在SAM模板中添加PermissionBoundary失败 [英] Adding PermissionBoundary fails in SAM template

问题描述

下面是SAM模板：

Resources:
  HelloWorldFunction:
    Type: AWS::Serverless::Function 
    Properties:
      CodeUri: hello-world/
      Handler: app.LambdaHandler
      Runtime: nodejs8.10
      Events:
        MySQSEvent:
          Type: SQS
          Properties:
            Queue: !GetAtt SomeQueue.Arn
            BatchSize: 10
      PermissionsBoundary: "arn:aws:iam::${AWS::AccountId}:policy/AddPermission"

  SomeQueue:
    Type: AWS::SQS::Queue

  AddPermission:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      PolicyDocument: 
        Version: 2012-10-17
        Statement: 
          - Sid: "PermissionBoundaryForLogGroup"
            Effect: "Allow"
            Action: 
            - "logs:CreateLogGroup"
            Resource:
              - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*"

---

以下错误：

---

that gives below error:

{
            "StackId": "arn:aws:cloudformation:us-east-1:285774445527:stack/somestack/f986eb30-a5a0-11e9-9771-1273bfab49fc", 
            "EventId": "cb4be9e0-a682-11e9-bac4-12d48e821f84", 
            "ResourceStatus": "UPDATE_ROLLBACK_IN_PROGRESS", 
            "ResourceType": "AWS::CloudFormation::Stack", 
            "Timestamp": "2019-07-14T22:00:29.808Z", 
            "ResourceStatusReason": "The following resource(s) failed to create: [AddPermission]. The following resource(s) failed to update: [HelloWorldFunctionRole]. ", 
            "StackName": "pocstack", 
            "PhysicalResourceId": "arn:aws:cloudformation:us-east-1:285774445527:stack/somestack/f986eb30-a5a0-11e9-9771-1273bfab49fc", 
            "LogicalResourceId": "pocstack"
        }, 
        {
            "StackId": "arn:aws:cloudformation:us-east-1:285774445527:stack/pocstack/f986eb30-a5a0-11e9-9771-1273bfab49fc", 
            "EventId": "AddPermission-CREATE_FAILED-2019-07-14T22:00:29.100Z", 
            "ResourceStatus": "CREATE_FAILED", 
            "ResourceType": "AWS::IAM::ManagedPolicy", 
            "Timestamp": "2019-07-14T22:00:29.100Z", 
            "ResourceStatusReason": "Resource creation cancelled", 
            "StackName": "pocstack", 
            "ResourceProperties": "{\"PolicyDocument\":{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"logs:CreateLogGroup\"],\"Resource\":[\"arn:aws:logs:us-east-1:285774445527:log-group:*\"],\"Effect\":\"Allow\",\"Sid\":\"PermissionBoundaryForLogGroup\"}]}}", 
            "PhysicalResourceId": "arn:aws:iam::285774445527:policy/somestack-AddPermission-GKXVOXLQARLR", 
            "LogicalResourceId": "AddPermission"
        }, 

---

如果使用新堆栈，则错误是： ResourceStatusReason：已取消资源创建

为什么无法创建名称为 AddPermission 的托管策略？

Why Managed policy by name AddPermission fails to get created?

推荐答案

与此相关的问题很少。

首先，您不能硬编码资源名称 AddPermission

First, you can't hard code resource name of AddPermission like that

PermissionsBoundary: "arn:aws:iam::${AWS::AccountId}:policy/AddPermission"

因为您不知道真实姓名将创建的资源。会是这样的

because you don't know the actual name of the resource that will be created. It will be something like this

arn:aws:iam::859119227216:policy/test-permissions-AddPermission-CK3PYCO10NV1

，结尾处是随机字符串。正确的引用方式是通过 Ref 函数。

with the random string at the end. Correct way to reference it is via Ref function.

PermissionsBoundary: !Ref AddPermission

另一个问题是您正在创建SQS轮询器lambda函数，但是权限边界阻止了SQS权限，因此

Another issue is that you are creating SQS poller lambda function but your permission boundaries block SQS permissions therefore the stack will fail to create that lambda function.

您将需要在权限边界中添加类似的内容（当然，您无需添加完整的SQS

You will need to add something like this to your permission boundaries (of course, you don't need to add full SQS permissions to any resource, just enough for function to work with a particular queue).

- Sid: 'AllowReadSQSMessages'
  Effect: 'Allow'
  Action:
      - 'sqs:*'
  Resource: '*'

这里是可以使用的完整模板（假设正确的代码位置和处理程序名称，但可以随时更改）。

Here is full template that works (assuming correct code location and handler name but feel free to change it).

Transform: 'AWS::Serverless-2016-10-31'
Resources:
    HelloWorldFunction:
        Type: AWS::Serverless::Function
        Properties:
            CodeUri: ./src
            Handler: index.handler
            Runtime: nodejs8.10
            Events:
                MySQSEvent:
                    Type: SQS
                    Properties:
                        Queue: !GetAtt SomeQueue.Arn
                        BatchSize: 10
            PermissionsBoundary: !Ref AddPermission

    SomeQueue:
        Type: AWS::SQS::Queue

    AddPermission:
        Type: AWS::IAM::ManagedPolicy
        Properties:
            PolicyDocument:
                Version: 2012-10-17
                Statement:
                    - Sid: 'PermissionBoundaryForLogGroup'
                      Effect: 'Allow'
                      Action:
                          - 'logs:CreateLogGroup'
                      Resource:
                          - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*'
                    - Sid: 'AllowReadSQSMessages'
                      Effect: 'Allow'
                      Action:
                          - 'sqs:*'
                      Resource: '*'

虽然这行得通，但请确保您了解自己在做什么。权限边界将阻止不属于该权限的所有其他权限。例如，SAM将自动为CW日志创建必要的权限。

While this will work, be sure that you understand what you are doing. Permission boundaries will block any additional permissions that are not part of it. For example, SAM would automatically create necessary permissions for CW Logs. Those are

• logs：CreateLogGroup


• logs：CreateLogStream


• logs：PutLogEvents

您在您的日志中仅允许 logs：CreateLogGroup 权限边界，因此您的功能将无法将任何内容记录到CloudWatch。

You have allowed only logs:CreateLogGroup in your permission boundaries, hence your function will not be able to log anything to CloudWatch.

这篇关于在SAM模板中添加PermissionBoundary失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！