如何用CDK创建具有trust policy的角色
0
【以下的问题经过翻译处理】 我想创建一个具有AmazonChimeFullAccess权限的角色,并允许lambda运行STS-AssumeRole。我无法使用AWS Console创建IAM角色来创建此角色,也无法确认如何使用CDK来创建。下面粘贴了在cdk中创建此角色所使用的代码。
Permissions:
AmazonChimeFullAccess
Trusted entities:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account-number>:role/dev-lambda"
]
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
CDK代码:
val role = Role(
stackInstance, "StsChimeChatAssumeRole",
RoleProps.builder()
.assumedBy(ServicePrincipal("sts.amazonaws.com"))
.build()
)
// Add a statement to the trust policy to allow the AWS account with ID "123456789012" to assume the role
role.addToPolicy(
PolicyStatement.Builder
.create()
.effect(Effect.ALLOW)
.principals(listOf(ArnPrincipal("arn:aws:iam::<account-number>:role/dev")))
.actions(listOf("sts:AssumeRole"))
.build()
)
role.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("AmazonChimeFullAccess"))
错误:
Exception in thread "main" java.lang.RuntimeException: Error: Validation failed with the following errors:
[TemplateServiceStack/dev/TemplateServiceDevWaveLambdaStack/StsChimeChatAssumeRole/DefaultPolicy] A PolicyStatement used in an identity-based policy cannot specify any IAM principals.
[TemplateServiceStack/dev/TemplateServiceDevWaveLambdaStack/StsChimeChatAssumeRole/DefaultPolicy] A PolicyStatement used in an identity-based policy must specify at least one resource.
1 回答
- 最新
- 投票最多
- 评论最多
0
【以下的回答经过翻译处理】 为了创建一个角色,并且让该角色关联到附加了managed policy的你所提供的trust policy,您需要执行以下操作:
// Create a Role that can be assumed by the Lambda's Role.
val role = Role(
stackInstance, "StsChimeChatAssumeRole",
RoleProps.builder()
.assumedBy(ArnPrincipal("arn:aws:iam::<account-number>:role/dev"))
.build()
)
// Add the managed policy to the Role.
role.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("AmazonChimeFullAccess"))
addManagedPolicy 方法允许您将IAM策略附加到一个角色,而不是trust policy。