CloudFormation - 如何使用 Sub 内在函数？答案

【问题标题】：CloudFormation - How to use Sub intrinsic function?CloudFormation - 如何使用 Sub 内在函数？
【发布时间】：2019-12-22 03:31:57
【问题描述】：

在下面的 JSON 规则中：

       {
         "Action": [
                "iam:CreatePolicyVersion",
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:SetDefaultPolicyVersion"
            ],
          "Resource": [
                "arn:aws:iam::${Account:Id}:policy/policy1",
                "arn:aws:iam::${Account:Id}:policy/policy2"
            ],
            "Effect": "Deny"
        }

如何在Resource 部分使用Sub 内部函数语法？替换变量...

编辑：

{
         "Action": [
                "iam:CreatePolicyVersion",
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:SetDefaultPolicyVersion"
            ],
          "Resource": [
                "arn:aws:iam::${Account:Id}:policy/policy1"
            ],
            "Effect": "Deny"
        }

如何引用单个资源？

【问题讨论】：

标签： json amazon-web-services amazon-cloudformation

【解决方案1】：

 {
         "Action": [
                "iam:CreatePolicyVersion",
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:SetDefaultPolicyVersion"
            ],
          "Resource": [
                {  "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:policy/policy1"},
                {  "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:policy/policy2"}
            ],
            "Effect": "Deny"
        }

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-sub.html

【讨论】：

如果它只是一种资源？我能说..."Resource": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:policy/policy1"},
政策仍然需要一个列表，您需要括号，因为它需要一个资源数组，在您的情况下，您将拥有一个只有一个资源的数组"Resource": [{ "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:policy/policy1"}]
我收到错误...Syntax error at position (36,27) 这个..."Resource": [{ "Fn::Sub": "arn:aws:cloudformation:us-east-1:${AWS::AccountId}:stack/some-stack*"}], 第 27 位是 "Fn
如果没有看到您的完整政策/模板，这很难解决