通过 cloudformation 创建 IAM 角色时 policyName 出错

Question

这是角色sn-p：

"InstanceRole": {
  "Type": "AWS::IAM::Role",
  "Properties": {
    "AssumeRolePolicyDocument": {
      "Version" : "2012-10-17",
      "Statement": [ {
        "Effect": "Allow",
        "Principal": {
           "Service" : [ { "Fn::FindInMap": [ "Region2Principal", { "Ref": "AWS::Region" },"EC2Principal" ] } ] },
        "Action"  : [ "sts:AssumeRole" ]
      }]
    },
    "Path": "/",
    "Policies": [{
      "PolicyName": {"Fn::Join" : ["",["AWS::StackName","InstanceApi"] ] },
      "PolicyDocument": {
        "Statement": [{
          "Effect": "Allow",
          "Action": "*",
          "Resource": "*"
        }]
      }
    }]
  }
},

这是错误：The specified value for policyName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_-

我输入的AWS::StackName的值为tmplt-stack，生成的报错策略名称为：tmplt-stack-InstanceApi-O7KF5OL0TA2Q

我不明白为什么 cloudformation 拒绝该名称，即使它只包含几个字符“-”并且根​​据错误消息是允许的，其余都是字母数字字符。

Answer 1

这是我在使用伪参数AWS::StackName时犯的大错，我没有用Ref调用它

"InstanceRole": {
  "Type": "AWS::IAM::Role",
  "Properties": {
    "AssumeRolePolicyDocument": {
      "Version" : "2012-10-17",
      "Statement": [ {
        "Effect": "Allow",
        "Principal": {
           "Service" : [ { "Fn::FindInMap": [ "Region2Principal", { "Ref": "AWS::Region" },"EC2Principal" ] } ] },
        "Action"  : [ "sts:AssumeRole" ]
      }]
    },
    "Path": "/",
    "Policies": [{
      "PolicyName": {"Fn::Join" : ["",[{"Ref":"AWS::StackName"},"InstanceApi"] ] },
      "PolicyDocument": {
        "Statement": [{
          "Effect": "Allow",
          "Action": "*",
          "Resource": "*"
        }]
      }
    }]
  }
},