【以下的问题经过翻译处理】 您好，AWS，我正在尝试部署 CloudFormation 堆栈来创建 IAM 用户并根据帐号向其附加 IAM 策略。 我使用了两个帐户，即 Account1 和 Account2。 下面提供了策略 1、策略 2 和 IAM 用户的三个模板： IAM 策略1: ''' AWSTemplateFormatVersion: 2010-09-09 Description: > This template deploys AWS IAM policy to provide s3 access along with KMS Parameters: ReadOnlyBucketARN: Type: String Description: ARN of the buckets to grant read permissions s3WriteBucketAccess: Type: String Description: ARN of the buckets to grant write permissions KMSKeyArn: Type: String Description: Comma delimited list of KMS Key Arn(s) FuncUsername: Type: String Description: Name for Functional user

Conditions: S3WriteBucketAccessProvided: !Not [!Equals [!Ref s3WriteBucketAccess, ""]] S3ReadBucketAccessProvided: !Not [!Equals [!Ref ReadOnlyBucketARN, ""]] KMSKeysProvided: !Not [!Equals [!Ref KMSKeyArn, ""]]

Resources: AccessPolicy1: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: !Sub ${FuncUsername}_access_policy1 PolicyDocument: Version: "2012-10-17" Statement: - !If - S3ReadBucketAccessProvided - Sid: "S3ReadAccess" Effect: "Allow" Action: - "s3:List*" - "s3:Get*" Resource: !Split - "," - !Ref ReadOnlyBucketARN - !Ref "AWS::NoValue" - !If - S3WriteBucketAccessProvided - Sid: "S3WriteAccess" Effect: "Allow" Action: - "s3:PutAnalyticsConfiguration" - "s3:AbortMultipartUpload" - "s3:PutBucketVersioning" - "s3:PutLifecycleConfiguration" - "s3:PutInventoryConfiguration" - "s3:DeleteObjectVersion" - "s3:RestoreObject" - "s3:DeleteObject" - "s3:DeleteObjectTagging" - "s3:PutObjectVersionTagging" - "s3:DeleteObjectVersionTagging" - "s3:PutObject*" - "s3:PutBucketNotification" Resource: !Split - "," - !Ref s3WriteBucketAccess - !Ref "AWS::NoValue" - !If - KMSKeysProvided - Sid: "KMSKeysAccess" Effect: "Allow" Action: - "kms:Decrypt" - "kms:Encrypt" - "kms:DescribeKey" - "kms:ReEncrypt*" - "kms:GenerateDataKey*" - "kms:RevokeGrant" - "kms:ListGrants" - "kms:CreateGrant" Resource: !Split - "," - !Ref KMSKeyArn - !Ref "AWS::NoValue" - Effect: "Allow" Action: - s3:ListAllMyBuckets - s3:HeadBucket Resource: "" Condition: Bool: aws:SecureTransport: - True - Effect: "Allow" Action: - "kms:ListAliases" Resource: "" Condition: Bool: aws:SecureTransport: - True

Outputs: AccessPolicyArn: Value: !Ref AccessPolicy1 ''' IAM 策略2: ''' #version: 1.0 AWSTemplateFormatVersion: 2010-09-09 Description: > This template deploys an IAM policy for a functional user

Parameters: FuncUsername: Type: String Description: Name for Functional user

Resources: AccessPolicy2: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: !Sub ${FuncUsername}_access_policy2 PolicyDocument: Version: '2012-10-17' Statement: - Sid: IAMAccess Effect: Allow Action: - iam:* Resource: "*"

Outputs: AccessPolicy2Arn: Value: !Ref AccessPolicy2 ''' IAM USER: '''

version: 1.0

AWSTemplateFormatVersion: 2010-09-09 Description: > This Template Deploys Basic AWS Functional User along with s3 bucket read/write access Parameters: StackNameTag: Type: String Description: Name of stack as entered above TemplateUsedTag: Type: String Description: Template used in creating this stack FuncUsername: Type: String Description: Name for Functional user
s3ReadBucketArn: Type: String Description: Comma delimited list of s3 bucket Arn for read access s3WriteBucketArn: Type: String Description: Comma delimited list of s3 bucket Arn for read/write access kmskeyArn: Type: String Description: Comma delimited list of kms key Arn PrimaryOwner: Type: String Description: Primary Owner for this user SecondaryOwner: Type: String Description: Secondary Owner for this user CostCentre: Type: String Description: Cost Centre BusinessUnit: Type: String Description: Business Unit Account1: Type: String Description: AWS Account1 Account2: Type: String Description: AWS Account2

Conditions: OnlyInAccount1: !Equals - !Ref Account1 - !Ref 'AWS::AccountId' OnlyInAccount2: !Equals - !Ref Account2 - !Ref 'AWS::AccountId' #OnlyInAccount1: !Not [!Equals [!Ref Account1, ""]] #OnlyInAccount2: !Not [!Equals [!Ref Account2, ""]]

Condition1and2:

Fn::And:

- Condition: OnlyInAccount1

- Condition: OnlyInAccount2

Resources: FuncUser: Type: AWS::IAM::User Properties: UserName: !Ref FuncUsername ManagedPolicyArns: - Fn::GetAtt: - FuncUserPolicy - Outputs.AccessPolicyArn - Fn::GetAtt: - FuncUserPolicy2 - Outputs.AccessPolicy2Arn Tags: - Key: primary_owner Value: !Ref PrimaryOwner - Key: secondary_owner Value: !Ref SecondaryOwner - Key: cost_centre Value: !Ref CostCentre - Key: business_unit Value: !Ref BusinessUnit - Key: Creation_Stack Value: !Ref StackNameTag - Key: Stack_Template Value: !Ref TemplateUsedTag

FuncUserPolicy: Type: AWS::CloudFormation::Stack Condition: OnlyInAccount1 UpdateReplacePolicy: Retain DeletionPolicy: Retain Properties: TemplateURL: https://aws-billing-report-csv-format-report.s3.amazonaws.com/create-iam-policy1.yaml Parameters: ReadOnlyBucketARN: !Ref s3ReadBucketArn s3WriteBucketAccess: !Ref s3WriteBucketArn KMSKeyArn: !Ref kmskeyArn FuncUsername: !Ref FuncUsername

FuncUserPolicy2: Type: AWS::CloudFormation::Stack Condition: OnlyInAccount2 UpdateReplacePolicy: Retain DeletionPolicy: Retain Properties: TemplateURL: https://aws-billing-report-csv-format-report.s3.amazonaws.com/create-iam-policy2.yaml Parameters: FuncUsername: !Ref FuncUsername '''正如您在 IAM 用户模板中所看到的，当我尝试使用上述条件部署堆栈时所注释的条件，策略 1 和策略 2 都已附加到 IAM 用户。 但是，当我尝试修改条件以将特定策略（policy1 或 policy2）附加到给定帐户中的用户时，出现以下错误： Template format error: Unresolved resource dependencies [FuncUserPolicy2] in the Resources block of the template 有人可以帮我解决这个问题吗？ 谢谢