我正在尝试使用 cloudformation 创建我的加密密钥。所以只是为了测试我有一个非常简单的如下:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Creates a KMS key and attaches a policy similar to the default policy. Also, creates two Roles which allow encryption and decryption under this key.",
"UserPrincipal": {
"Type": "String",
"Default": "user/datadog"
}
},
"Resources": {
"DemonstrationKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"KeyPolicy": {
"Id": "DefaultKmsPolicy",
"Version": "2012-10-17",
"Statement": [{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [{
"Fn::Join": [
":", [
"arn:aws:iam:",
{
"Ref": "AWS::AccountId"
},
"root"
]
]
}]
},
"Action": "kms:*",
"Resource": "*"
}]
}
}
}
},
"Outputs": {
"KeyID": {
"Description": "Key ID",
"Value": {
"Ref": "DemonstrationKey"
}
}
}
}
它工作正常,但这不是我想要的。相反,我想将已经存在的策略附加到它上面,例如:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Creates a KMS key and attaches a policy similar to the default policy. Also, creates two Roles which allow encryption and decryption under this key.",
"UserPrincipal": {
"Type": "String",
"Default": "user/datadog"
}
},
"Resources": {
"DemonstrationKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"KeyPolicy": "arn:aws:iam::******:policy/testtestpol1"
}
}
},
"Outputs": {
"KeyID": {
"Description": "Key ID",
"Value": {
"Ref": "DemonstrationKey"
}
}
}
}
但这不起作用,我收到以下错误:
MalformedPolicyDocumentException
任何人都可以帮助我。它完全可行吗?