【以下的问题经过翻译处理】 您好,AWS,我正在尝试部署 CloudFormation 堆栈来创建 IAM 用户并根据帐号向其附加 IAM 策略。 我使用了两个帐户,即 Account1 和 Account2。 下面提供了策略 1、策略 2 和 IAM 用户的三个模板:
IAM 策略1:
'''
AWSTemplateFormatVersion: 2010-09-09
Description: >
This template deploys AWS IAM policy to provide s3 access along with KMS
Parameters:
ReadOnlyBucketARN:
Type: String
Description: ARN of the buckets to grant read permissions
s3WriteBucketAccess:
Type: String
Description: ARN of the buckets to grant write permissions
KMSKeyArn:
Type: String
Description: Comma delimited list of KMS Key Arn(s)
FuncUsername:
Type: String
Description: Name for Functional user
Conditions:
S3WriteBucketAccessProvided: !Not [!Equals [!Ref s3WriteBucketAccess, ""]]
S3ReadBucketAccessProvided: !Not [!Equals [!Ref ReadOnlyBucketARN, ""]]
KMSKeysProvided: !Not [!Equals [!Ref KMSKeyArn, ""]]
Resources:
AccessPolicy1:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Sub ${FuncUsername}_access_policy1
PolicyDocument:
Version: "2012-10-17"
Statement:
- !If
- S3ReadBucketAccessProvided
- Sid: "S3ReadAccess"
Effect: "Allow"
Action:
- "s3:List*"
- "s3:Get*"
Resource: !Split
- ","
- !Ref ReadOnlyBucketARN
- !Ref "AWS::NoValue"
- !If
- S3WriteBucketAccessProvided
- Sid: "S3WriteAccess"
Effect: "Allow"
Action:
- "s3:PutAnalyticsConfiguration"
- "s3:AbortMultipartUpload"
- "s3:PutBucketVersioning"
- "s3:PutLifecycleConfiguration"
- "s3:PutInventoryConfiguration"
- "s3:DeleteObjectVersion"
- "s3:RestoreObject"
- "s3:DeleteObject"
- "s3:DeleteObjectTagging"
- "s3:PutObjectVersionTagging"
- "s3:DeleteObjectVersionTagging"
- "s3:PutObject*"
- "s3:PutBucketNotification"
Resource: !Split
- ","
- !Ref s3WriteBucketAccess
- !Ref "AWS::NoValue"
- !If
- KMSKeysProvided
- Sid: "KMSKeysAccess"
Effect: "Allow"
Action:
- "kms:Decrypt"
- "kms:Encrypt"
- "kms:DescribeKey"
- "kms:ReEncrypt*"
- "kms:GenerateDataKey*"
- "kms:RevokeGrant"
- "kms:ListGrants"
- "kms:CreateGrant"
Resource: !Split
- ","
- !Ref KMSKeyArn
- !Ref "AWS::NoValue"
- Effect: "Allow"
Action:
- s3:ListAllMyBuckets
- s3:HeadBucket
Resource: ""
Condition:
Bool:
aws:SecureTransport:
- True
- Effect: "Allow"
Action:
- "kms:ListAliases"
Resource: ""
Condition:
Bool:
aws:SecureTransport:
- True
Outputs:
AccessPolicyArn:
Value: !Ref AccessPolicy1
'''
IAM 策略2:
'''
#version: 1.0
AWSTemplateFormatVersion: 2010-09-09
Description: >
This template deploys an IAM policy for a functional user
Parameters:
FuncUsername:
Type: String
Description: Name for Functional user
Resources:
AccessPolicy2:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Sub ${FuncUsername}_access_policy2
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: IAMAccess
Effect: Allow
Action:
- iam:*
Resource: "*"
Outputs:
AccessPolicy2Arn:
Value: !Ref AccessPolicy2
'''
IAM USER:
'''
version: 1.0
AWSTemplateFormatVersion: 2010-09-09
Description: >
This Template Deploys Basic AWS Functional User along with s3 bucket read/write access
Parameters:
StackNameTag:
Type: String
Description: Name of stack as entered above
TemplateUsedTag:
Type: String
Description: Template used in creating this stack
FuncUsername:
Type: String
Description: Name for Functional user
s3ReadBucketArn:
Type: String
Description: Comma delimited list of s3 bucket Arn for read access
s3WriteBucketArn:
Type: String
Description: Comma delimited list of s3 bucket Arn for read/write access
kmskeyArn:
Type: String
Description: Comma delimited list of kms key Arn
PrimaryOwner:
Type: String
Description: Primary Owner for this user
SecondaryOwner:
Type: String
Description: Secondary Owner for this user
CostCentre:
Type: String
Description: Cost Centre
BusinessUnit:
Type: String
Description: Business Unit
Account1:
Type: String
Description: AWS Account1
Account2:
Type: String
Description: AWS Account2
Conditions:
OnlyInAccount1: !Equals
- !Ref Account1
- !Ref 'AWS::AccountId'
OnlyInAccount2: !Equals
- !Ref Account2
- !Ref 'AWS::AccountId'
#OnlyInAccount1: !Not [!Equals [!Ref Account1, ""]]
#OnlyInAccount2: !Not [!Equals [!Ref Account2, ""]]
Condition1and2:
Fn::And:
- Condition: OnlyInAccount1
- Condition: OnlyInAccount2
Resources:
FuncUser:
Type: AWS::IAM::User
Properties:
UserName: !Ref FuncUsername
ManagedPolicyArns:
- Fn::GetAtt:
- FuncUserPolicy
- Outputs.AccessPolicyArn
- Fn::GetAtt:
- FuncUserPolicy2
- Outputs.AccessPolicy2Arn
Tags:
- Key: primary_owner
Value: !Ref PrimaryOwner
- Key: secondary_owner
Value: !Ref SecondaryOwner
- Key: cost_centre
Value: !Ref CostCentre
- Key: business_unit
Value: !Ref BusinessUnit
- Key: Creation_Stack
Value: !Ref StackNameTag
- Key: Stack_Template
Value: !Ref TemplateUsedTag
FuncUserPolicy:
Type: AWS::CloudFormation::Stack
Condition: OnlyInAccount1
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Properties:
TemplateURL: https://aws-billing-report-csv-format-report.s3.amazonaws.com/create-iam-policy1.yaml
Parameters:
ReadOnlyBucketARN: !Ref s3ReadBucketArn
s3WriteBucketAccess: !Ref s3WriteBucketArn
KMSKeyArn: !Ref kmskeyArn
FuncUsername: !Ref FuncUsername
FuncUserPolicy2:
Type: AWS::CloudFormation::Stack
Condition: OnlyInAccount2
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Properties:
TemplateURL: https://aws-billing-report-csv-format-report.s3.amazonaws.com/create-iam-policy2.yaml
Parameters:
FuncUsername: !Ref FuncUsername
'''正如您在 IAM 用户模板中所看到的,当我尝试使用上述条件部署堆栈时所注释的条件,策略 1 和策略 2 都已附加到 IAM 用户。 但是,当我尝试修改条件以将特定策略(policy1 或 policy2)附加到给定帐户中的用户时,出现以下错误:
Template format error: Unresolved resource dependencies [FuncUserPolicy2] in the Resources block of the template
有人可以帮我解决这个问题吗?
谢谢