使用内联策略创建 IAM 角色的 cloudformation 模板

Question

我正在尝试使用以下模板创建 IAM 角色。我能够使用托管策略创建角色。当我尝试在模板中添加内联策略时出现错误

“Property PolicyDocument 不能为空。”

{
"Resources": {
"test": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "ec2.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "ManagedPolicyArns": [
          "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
          "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole",
        ],
      "Policies": [
      "PolicyName" : "create_snapshot",
      "PolicyDocument" : {
         "Version" : "2012-10-17",
         "Statement": [ {
         "Effect"   : "Allow",
         "Action": [
                "ec2:DeleteSnapshot",
                "ec2:CreateTags",
                "ec2:CreateSnapshot"
            ],
         "Resource" : "*"
         } ]      
      }
],
"RoleName": "test"
      }
    }
}
}    

Answer 1

Policies 是一个策略对象列表，编写如下，每个单独的策略对象都嵌入在 [] 列表内的大括号中：

"Policies": [ {
    "PolicyName" : "policy01",
    "PolicyDocument" : { ... }
}, {
    "PolicyName" : "policy02",
    "PolicyDocument" : { ... }
} ]