1

在我的 Cloud Formation 模板中,我有不同环境的 IAM 映射:

Mappings:
  EnvironmentToIAMInstanceProfileARN:
    dev:
      Profile: [ "arn:aws:iam::0000000000:role/AnInstanceProfile" ]
    test:
      Profile: [ "arn:aws:iam::0000000001:role/AppServerInstanceProfile", 
                  "arn:aws:iam::0000000001:role/AppProvisioningRole"]

我正在创建一个 S3 存储桶,需要向委托人提供 IAM 配置文件:

 AppS3BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: !Ref S3NameParam
      PolicyDocument:
        Statement:
          - Sid: 'Restrict access to the IAM Instance ARN'
            Effect: Allow
            Principal: '*' # !FindInMap [EnvironmentToIAMInstanceProfileARN, !Ref 'EnvType', Profile]
            Action: 
              - 's3:GetBucketAcl'
              - 's3:GetBucketLocation'
              - 's3:GetObject'
              - 's3:ListBucket'
              - 's3:PutObject'
            Resource:
              - !Join 
                - ''
                - - 'arn:aws:s3:::'
                  - !Ref S3NameParam
                  - ''
              - !Join 
                - ''
                - - 'arn:aws:s3:::'
                  - !Ref S3NameParam
                  - /*

如果我将'*'分配 给 Prinicpal 它可以工作,但是我正在尝试查找映射:

Principal: !FindInMap [EnvironmentToIAMInstanceProfileARN, !Ref 'EnvType', Profile]

这不起作用并导致错误:

无效的存储桶策略语法。(服务:Amazon S3;状态代码:400;错误代码:MalformedPolicy;

有谁知道我该怎么做,或者为什么会失败?

ps EnvType 参数确实存在:

Parameters:
  EnvType:
    Description: Environment Name
    Default: test
    Type: String
    AllowedValues:  [dev, test, prod]
4

1 回答 1

1

根据这篇文章,语法需要有服务。 https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

JSON:

 "Principal": {
        "Service": [
          "elasticmapreduce.amazonaws.com",
          "datapipeline.amazonaws.com"
        ]

但是,根据其他一些文档,我制定了它的 AWS 不是服务:

JSON:

  "Principal": {
        "AWS": [
          "elasticmapreduce.amazonaws.com",
          "datapipeline.amazonaws.com"
        ]

YAML 中的解决方案:

  Principal:
     AWS: 
       !FindInMap [EnvironmentToIAMInstanceProfileARN, !Ref 'EnvType', Profile]
于 2018-07-19T01:10:07.077 回答