【发布时间】:2019-12-31 03:28:58
【问题描述】:
我正在创建一个 CloudFormation 堆栈,该堆栈具有 CodeBuild 和 IAM 角色作为资源。我想知道是否存在只允许在同一堆栈中创建的资源担任角色的条件。
目前,我的堆栈是这样定义的:
CodeBuildProjectIAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: codebuild.amazonaws.com
Action: sts:AssumeRole
CodeBuildProject:
Type: AWS::CodeBuild::Project
问题是任何 CodeBuild 项目都可以承担上述角色。
当我尝试添加一个条件时,指定只有具有aws:cloudformation:stack-name 相同堆栈名称的主体才能担任该角色:
CodeBuildProjectIAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: codebuild.amazonaws.com
Action: sts:AssumeRole
Condition:
StringEquals:
aws:PrincipalTag/aws:cloudformation:stack-name: !Ref 'AWS::StackName'
,我收到此错误:
Condition can contain only one colon. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument)
【问题讨论】:
-
我认为这只是一个语法错误。尝试添加
',例如:'aws:PrincipalTag/aws:cloudformation:stack-name:'。 -
@lexicore 我试过
'aws:PrincipalTag/aws:cloudformation:stack-name:'(得到Template format error: YAML not well-formed)和'aws:PrincipalTag/aws:cloudformation:stack-name':(得到Condition can contain only one colon)
标签: amazon-web-services amazon-cloudformation amazon-iam aws-sts