Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
CloudFormation을 사용할 때 Amazon Redshift에서 발생한 IAM 역할 오류를 해결하려면 어떻게 해야 합니까?
6분 분량
0
AWS CloudFormation에서 Amazon Redshift 클러스터 또는 예약된 작업을 생성하려고 합니다. 하지만 "The IAM role must delegate access to an Amazon Redshift account" AWS Identity and Access Management(IAM) 역할 오류가 발생합니다.
간략한 설명
CloudFormation에서 Amazon Redshift 클러스터 또는 예약된 작업을 생성하려고 하면 다음과 같은 오류 메시지가 나타납니다.
"The IAM role is not valid. The IAM role must delegate access to an Amazon Redshift account."
이 문제를 해결하려면 클러스터가 다른 AWS 서비스에 액세스할 수 있도록 CloudFormation 템플릿 파라미터에서 IAM 역할을 정의해야 합니다.
해결 방법
YAML에서 CloudFormation 템플릿 파라미터 업데이트
YAML에서 CloudFormation 템플릿 파라미터를 업데이트하려면 다음 단계를 완료하십시오.
-
파라미터를 정의하여 스택을 생성합니다.
AWSTemplateFormatVersion: 2010-09-09 Description: Create Redshift Stack. Parameters: Environment: Description: Environment of the resources. Type: String Default: staging AllowedValues: - production - staging - testing Name: Description: Cluster name. Type: String Default: 'mycluster' Service: Description: Service name. Type: String Default: redshift AllowedValues: - redshift DatabaseName: Description: Database name. Type: String Default: dev AllowedPattern: "([a-z]|[0-9])+" ClusterType: Description: The type of cluster Type: String Default: multi-node AllowedValues: - single-node - multi-node NumberOfNodes: Description: Compute nodes count. For multi-node clusters, the NumberOfNodes parameter must be greater than 1 Type: Number Default: '2' NodeType: Description: The type of node to be provisioned Type: String Default: dc2.large AllowedValues: - dc2.large - dc2.8xlarge - ra3.4xlarge - ra3.16xlarge MasterUsername: Description: Master user name. Type: String Default: awsuser AllowedPattern: "([a-z])([a-z]|[0-9])*" MasterUserPassword: Description: Master user password. Must have a length of 8-64 characters, contain one uppercase letter, one lowercase letter, and one number. Also only contain printable ASCII characters except for '/', '@', '"', ' ', '\' and '\'. Type: String NoEcho: 'true' PortNumber: Description: The port number on which the cluster accepts incoming connections. Type: Number Default: '5439' Conditions: IsMultiNodeCluster: Fn::Equals: - Ref: ClusterType - multi-node참고: 스택 템플릿에서 동적 참조를 사용하는 것이 좋습니다. 모범 사례에 대한 자세한 내용은 CloudFormation의 보안 모범 사례를 참조하십시오.
-
다음 템플릿을 사용하여 Amazon RedShift가 다른 AWS 서비스에 액세스할 때 맡을 IAM 역할을 생성합니다.
Resources: RedshiftRole: Type: AWS::IAM::Role Properties: RoleName: !Sub ${Environment}-${Name}-${Service} AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - redshift.amazonaws.com Action: - sts:AssumeRole Condition: StringEquals: sts:ExternalId: !Sub 'arn:aws:redshift:${AWS::Region}:${AWS::AccountId}:dbuser:${Environment}-${Name}-${Service}/awsuser' Path: "/" -
정책에서 IAM 역할에 연결할 IAM 정책을 지정합니다.
Policies: - PolicyName: policy-s3 PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 's3:AbortMultipartUpload' - 's3:GetBucketLocation' - 's3:ListBucket' - 's3:ListBucketMultipartUploads' - 's3:GetObject' - 's3:PutObject' Resource: - !Sub "arn:aws:s3:::${Environment}-${Name}-tier1" - !Sub "arn:aws:s3:::${Environment}-${Name}-tier1/log-internal-${Service}/*" - !Sub "arn:aws:s3:::${Environment}-${Name}-tier2" - !Sub "arn:aws:s3:::${Environment}-${Name}-tier2/*" - Effect: Allow Action: - 's3:DeleteObject' Resource: - !Sub "arn:aws:s3:::${Environment}-${Name}-tier1/log-internal-${Service}/*" - !Sub "arn:aws:s3:::${Environment}-${Name}-tier2/*" - PolicyName: policy-cloudwatch PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: "*" -
다음 템플릿을 Fn::GetAtt 함수와 함께 사용하여 Amazon Redshift 클러스터를 생성하고 RedshiftRole을 포함시킵니다.
RedshiftCluster: Type: AWS::Redshift::Cluster Properties: IamRoles: - Fn::GetAtt: [ RedshiftRole, Arn ] AllowVersionUpgrade: true AutomatedSnapshotRetentionPeriod: 7 ClusterIdentifier: !Sub ${Environment}-${Name}-${Service} ClusterVersion: 1.0 ClusterType: Ref: ClusterType NumberOfNodes: Fn::If: - IsMultiNodeCluster - Ref: NumberOfNodes - Ref: AWS::NoValue NodeType: Ref: NodeType DBName: Ref: DatabaseName MasterUsername: Ref: MasterUsername MasterUserPassword: Ref: MasterUserPassword Port: Ref: PortNumber PreferredMaintenanceWindow: Sun:18:30-Sun:19:30 PubliclyAccessible: yes AvailabilityZone: !Select [0, !GetAZs ""]참고: Ref와 같은 잘못된 IAM 역할 참조로 인해 오류가 발생합니다.
JSON에서 CloudFormation 템플릿 파라미터 업데이트
JSON에서 CloudFormation 템플릿 파라미터를 업데이트하려면 다음 단계를 완료하십시오.
-
파라미터를 정의하여 스택을 생성합니다.
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Create Redshift Stack.", "Parameters": { "Environment": { "Description": "Environment of the resources.", "Type": "String", "Default": "staging", "AllowedValues": [ "production", "staging", "testing" ] }, "Name": { "Description": "Cluster name.", "Type": "String", "Default": "mycluster" }, "Service": { "Description": "Service name.", "Type": "String", "Default": "redshift", "AllowedValues": [ "redshift" ] }, "DatabaseName": { "Description": "Database name.", "Type": "String", "Default": "dev", "AllowedPattern": "([a-z]|[0-9])+" }, "ClusterType": { "Description": "The type of cluster", "Type": "String", "Default": "multi-node", "AllowedValues": [ "single-node", "multi-node" ] }, "NumberOfNodes": { "Description": "Compute nodes count. For multi-node clusters, the NumberOfNodes parameter must be greater than 1", "Type": "Number", "Default": "2" }, "NodeType": { "Description": "The type of node to be provisioned", "Type": "String", "Default": "dc2.large", "AllowedValues": [ "dc2.large", "dc2.8xlarge", "ra3.4xlarge", "ra3.16xlarge" ] }, "MasterUsername": { "Description": "Master user name.", "Type": "String", "Default": "awsuser", "AllowedPattern": "([a-z])([a-z]|[0-9])*" }, "MasterUserPassword": { "Description": "Master user password. Must have a length of 8-64 characters, contain one uppercase letter, one lowercase letter, and one number. Also only contain printable ASCII characters except for '/', '@', '\"', ' ', '\\' and '\\'.", "Type": "String", "NoEcho": "true" }, "PortNumber": { "Description": "The port number on which the cluster accepts incoming connections.", "Type": "Number", "Default": "5439" } }, "Conditions": { "IsMultiNodeCluster": { "Fn::Equals": [ { "Ref": "ClusterType" }, "multi-node" ] } }, -
다음 템플릿을 사용하여 Amazon Redshift 클러스터에 액세스하기 위한 IAM 역할을 생성합니다.
"Resources": { "RedshiftRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Fn::Sub": "${Environment}-${Name}-${Service}" }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "redshift.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ], "Condition": { "StringEquals": { "sts:ExternalId": { "Fn::Sub": "arn:aws:redshift:${AWS::Region}:${AWS::AccountId}:dbuser:${Environment}-${Name}-${Service}/awsuser" } } } } ] }, "Path": "/", -
정책에서 IAM 역할에 연결할 IAM 정책을 지정합니다.
"Policies": [ { "PolicyName": "policy-s3", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:GetObject", "s3:PutObject" ], "Resource": [ { "Fn::Sub": "arn:aws:s3:::${Environment}-${Name}-tier1" }, { "Fn::Sub": "arn:aws:s3:::${Environment}-${Name}-tier1/log-internal-${Service}/*" }, { "Fn::Sub": "arn:aws:s3:::${Environment}-${Name}-tier2" }, { "Fn::Sub": "arn:aws:s3:::${Environment}-${Name}-tier2/*" } ] }, { "Effect": "Allow", "Action": [ "s3:DeleteObject" ], "Resource": [ { "Fn::Sub": "arn:aws:s3:::${Environment}-${Name}-tier1/log-internal-${Service}/*" }, { "Fn::Sub": "arn:aws:s3:::${Environment}-${Name}-tier2/*" } ] } ] } }, { "PolicyName": "policy-cloudwatch", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] } } ] } }, -
다음 템플릿을 Fn::GetAtt 함수와 함께 사용하여 Amazon Redshift 클러스터를 생성하고 RedshiftRole을 포함시킵니다.
"RedshiftCluster": { "Type": "AWS::Redshift::Cluster", "Properties": { "IamRoles": [ { "Fn::GetAtt": [ "RedshiftRole", "Arn" ] } ], "AllowVersionUpgrade": true, "AutomatedSnapshotRetentionPeriod": 7, "ClusterIdentifier": { "Fn::Sub": "${Environment}-${Name}-${Service}" }, "ClusterVersion": 1, "ClusterType": { "Ref": "ClusterType" }, "NumberOfNodes": { "Fn::If": [ "IsMultiNodeCluster", { "Ref": "NumberOfNodes" }, { "Ref": "AWS::NoValue" } ] }, "NodeType": { "Ref": "NodeType" }, "DBName": { "Ref": "DatabaseName" }, "MasterUsername": { "Ref": "MasterUsername" }, "MasterUserPassword": { "Ref": "MasterUserPassword" }, "Port": { "Ref": "PortNumber" }, "PreferredMaintenanceWindow": "Sun:18:30-Sun:19:30", "PubliclyAccessible": "true", "AvailabilityZone": { "Fn::Select": [ 0, { "Fn::GetAZs": "" } ] } } } } }
CloudFormation에서 새 스택 생성
템플릿 파라미터를 업데이트한 후 JSON 또는 YAML 템플릿을 사용하여 새 CloudFormation 스택을 생성합니다.
관련 정보
- 언어
- 한국어
AWS 공식업데이트됨 10달 전
댓글 없음
