使用CloudFormation基于账户条件向IAM用户附加IAM策略。

0

【以下的问题经过翻译处理】 您好,AWS,我正在尝试部署 CloudFormation 堆栈来创建 IAM 用户并根据帐号向其附加 IAM 策略。 我使用了两个帐户,即 Account1 和 Account2。 下面提供了策略 1、策略 2 和 IAM 用户的三个模板: IAM 策略1: ''' AWSTemplateFormatVersion: 2010-09-09 Description: > This template deploys AWS IAM policy to provide s3 access along with KMS Parameters: ReadOnlyBucketARN: Type: String Description: ARN of the buckets to grant read permissions s3WriteBucketAccess: Type: String Description: ARN of the buckets to grant write permissions KMSKeyArn: Type: String Description: Comma delimited list of KMS Key Arn(s) FuncUsername: Type: String Description: Name for Functional user

Conditions: S3WriteBucketAccessProvided: !Not [!Equals [!Ref s3WriteBucketAccess, ""]] S3ReadBucketAccessProvided: !Not [!Equals [!Ref ReadOnlyBucketARN, ""]] KMSKeysProvided: !Not [!Equals [!Ref KMSKeyArn, ""]]

Resources: AccessPolicy1: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: !Sub ${FuncUsername}_access_policy1 PolicyDocument: Version: "2012-10-17" Statement: - !If - S3ReadBucketAccessProvided - Sid: "S3ReadAccess" Effect: "Allow" Action: - "s3:List*" - "s3:Get*" Resource: !Split - "," - !Ref ReadOnlyBucketARN - !Ref "AWS::NoValue" - !If - S3WriteBucketAccessProvided - Sid: "S3WriteAccess" Effect: "Allow" Action: - "s3:PutAnalyticsConfiguration" - "s3:AbortMultipartUpload" - "s3:PutBucketVersioning" - "s3:PutLifecycleConfiguration" - "s3:PutInventoryConfiguration" - "s3:DeleteObjectVersion" - "s3:RestoreObject" - "s3:DeleteObject" - "s3:DeleteObjectTagging" - "s3:PutObjectVersionTagging" - "s3:DeleteObjectVersionTagging" - "s3:PutObject*" - "s3:PutBucketNotification" Resource: !Split - "," - !Ref s3WriteBucketAccess - !Ref "AWS::NoValue" - !If - KMSKeysProvided - Sid: "KMSKeysAccess" Effect: "Allow" Action: - "kms:Decrypt" - "kms:Encrypt" - "kms:DescribeKey" - "kms:ReEncrypt*" - "kms:GenerateDataKey*" - "kms:RevokeGrant" - "kms:ListGrants" - "kms:CreateGrant" Resource: !Split - "," - !Ref KMSKeyArn - !Ref "AWS::NoValue" - Effect: "Allow" Action: - s3:ListAllMyBuckets - s3:HeadBucket Resource: "" Condition: Bool: aws:SecureTransport: - True - Effect: "Allow" Action: - "kms:ListAliases" Resource: "" Condition: Bool: aws:SecureTransport: - True

Outputs: AccessPolicyArn: Value: !Ref AccessPolicy1 ''' IAM 策略2: ''' #version: 1.0 AWSTemplateFormatVersion: 2010-09-09 Description: > This template deploys an IAM policy for a functional user

Parameters: FuncUsername: Type: String Description: Name for Functional user

Resources: AccessPolicy2: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: !Sub ${FuncUsername}_access_policy2 PolicyDocument: Version: '2012-10-17' Statement: - Sid: IAMAccess Effect: Allow Action: - iam:* Resource: "*"

Outputs: AccessPolicy2Arn: Value: !Ref AccessPolicy2 ''' IAM USER: '''

version: 1.0

AWSTemplateFormatVersion: 2010-09-09 Description: > This Template Deploys Basic AWS Functional User along with s3 bucket read/write access Parameters: StackNameTag: Type: String Description: Name of stack as entered above TemplateUsedTag: Type: String Description: Template used in creating this stack FuncUsername: Type: String Description: Name for Functional user
s3ReadBucketArn: Type: String Description: Comma delimited list of s3 bucket Arn for read access s3WriteBucketArn: Type: String Description: Comma delimited list of s3 bucket Arn for read/write access kmskeyArn: Type: String Description: Comma delimited list of kms key Arn PrimaryOwner: Type: String Description: Primary Owner for this user SecondaryOwner: Type: String Description: Secondary Owner for this user CostCentre: Type: String Description: Cost Centre BusinessUnit: Type: String Description: Business Unit Account1: Type: String Description: AWS Account1 Account2: Type: String Description: AWS Account2

Conditions: OnlyInAccount1: !Equals - !Ref Account1 - !Ref 'AWS::AccountId' OnlyInAccount2: !Equals - !Ref Account2 - !Ref 'AWS::AccountId' #OnlyInAccount1: !Not [!Equals [!Ref Account1, ""]] #OnlyInAccount2: !Not [!Equals [!Ref Account2, ""]]

Condition1and2:

Fn::And:

- Condition: OnlyInAccount1

- Condition: OnlyInAccount2

Resources: FuncUser: Type: AWS::IAM::User Properties: UserName: !Ref FuncUsername ManagedPolicyArns: - Fn::GetAtt: - FuncUserPolicy - Outputs.AccessPolicyArn - Fn::GetAtt: - FuncUserPolicy2 - Outputs.AccessPolicy2Arn Tags: - Key: primary_owner Value: !Ref PrimaryOwner - Key: secondary_owner Value: !Ref SecondaryOwner - Key: cost_centre Value: !Ref CostCentre - Key: business_unit Value: !Ref BusinessUnit - Key: Creation_Stack Value: !Ref StackNameTag - Key: Stack_Template Value: !Ref TemplateUsedTag

FuncUserPolicy: Type: AWS::CloudFormation::Stack Condition: OnlyInAccount1 UpdateReplacePolicy: Retain DeletionPolicy: Retain Properties: TemplateURL: https://aws-billing-report-csv-format-report.s3.amazonaws.com/create-iam-policy1.yaml Parameters: ReadOnlyBucketARN: !Ref s3ReadBucketArn s3WriteBucketAccess: !Ref s3WriteBucketArn KMSKeyArn: !Ref kmskeyArn FuncUsername: !Ref FuncUsername

FuncUserPolicy2: Type: AWS::CloudFormation::Stack Condition: OnlyInAccount2 UpdateReplacePolicy: Retain DeletionPolicy: Retain Properties: TemplateURL: https://aws-billing-report-csv-format-report.s3.amazonaws.com/create-iam-policy2.yaml Parameters: FuncUsername: !Ref FuncUsername '''正如您在 IAM 用户模板中所看到的,当我尝试使用上述条件部署堆栈时所注释的条件,策略 1 和策略 2 都已附加到 IAM 用户。 但是,当我尝试修改条件以将特定策略(policy1 或 policy2)附加到给定帐户中的用户时,出现以下错误: Template format error: Unresolved resource dependencies [FuncUserPolicy2] in the Resources block of the template 有人可以帮我解决这个问题吗? 谢谢

profile picture
ESPECIALISTA
feita há um ano23 visualizações
1 Resposta
0

【以下的回答经过翻译处理】 在 IAM 用户模板中,您创建了资源 FuncUser ,在此资源中,您通过以下方式引用 FuncUserPolicy 和 FuncUserPolicy2: ''' ManagedPolicyArns: - Fn::GetAtt: - FuncUserPolicy - Outputs.AccessPolicyArn - Fn::GetAtt: - FuncUserPolicy2 - Outputs.AccessPolicy2Arn ''' 如果您的条件 OnlyInAccount2 评估为 false,则不会创建您的资源 FuncUserPolicy2,因此对其的引用将产生错误。

尝试像在 AccessPolicy1 中那样用 !IF 包围 GetAtt

profile picture
ESPECIALISTA
respondido há um ano

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas