0

我正在编写一个创建 Kinesis Firehose 传输流并将数据发送到 S3 存储桶的 cloudformation 模板。源流是 Kinesis Steam。它创建了 s3 存储桶、策略和角色,但是当它尝试创建 Kinesis Firehose 传输流时,它无法说无法承担角色

经过一些研究,我发现不应使用 root 帐户创建 Delivery。我尝试创建一个新用户,但它仍然给了我同样的错误。

# creates the Kinesis Stream
KinesisStream:
  Type: AWS::Kinesis::Stream
  Properties:
    Name: HealthApp        
    RetentionPeriodHours: 24
    ShardCount: 8

# creates the firehose delivery stream   
KinesisFirehoseDeliveryStream:
  Type: AWS::KinesisFirehose::DeliveryStream
  Properties:
    DeliveryStreamName: HealthAppFirehose   
    DeliveryStreamType: KinesisStreamAsSource
    KinesisStreamSourceConfiguration:
    KinesisStreamARN:
      Fn::GetAtt:
      - KinesisStream
      - Arn
    RoleARN:
      Fn::GetAtt:
      - FirehoseDeliveryIAMRole
      - Arn

  S3DestinationConfiguration:
    BucketARN: !GetAtt MyS3Bucket.Arn
    Prefix: cloudformation-test/kinesis-fh
    BufferingHints:
       IntervalInSeconds: 60
       SizeInMBs: 100
    CloudWatchLoggingOptions:
      Enabled: 'false'
    CompressionFormat: UNCOMPRESSED
    RoleARN:
      Fn::GetAtt:
      - FirehoseDeliveryIAMRole
      - Arn
DependsOn:
- FirehoseDeliveryIAMPolicy


FirehoseDeliveryIAMRole:
 Type: AWS::IAM::Role
 Properties:
  AssumeRolePolicyDocument:
    Version: '2012-10-17'
    Statement:

      Effect: Allow
      Principal:
        Service: firehose.amazonaws.com
      Action: sts:AssumeRole
      Condition:
        StringEquals:
          sts:ExternalId: ACCOUNT_NUMBER


FirehoseDeliveryIAMPolicy:
  Type: AWS::IAM::Policy
  Properties:
  PolicyName: HealthAppPolicy

  PolicyDocument:
    Version: '2012-10-17'
    Statement:
    - Effect: Allow
      Action:
      - s3:AbortMultipartUpload
      - s3:GetBucketLocation
      - s3:GetObject
      - s3:ListBucket
      - s3:ListBucketMultipartUploads
      - s3:PutObject
      Resource:
      - arn:aws:s3:::health-app-bucket/cloudformation-test/kinesis-fh*
    - Effect: Allow
      Action:
      - kinesis:DescribeStream
      - kinesis:GetShardIterator
      - kinesis:GetRecords
      Resource:
        Fn::GetAtt:
        - KinesisStream
        - Arn
  Roles:
  - Ref: FirehoseDeliveryIAMRole
DependsOn:
- KinesisStream

​</p> 

Outputs:
  kinesisStreamArn:
    Description: Kinesis Stream ARN
    Value:
      Fn::GetAtt:
       - KinesisStream
       - Arn
  firehoseDeliveryStreamArn:
  Description: Firehose Delivery Stream ARN
  Value:
    Fn::GetAtt:
    - KinesisFirehoseDeliveryStream
    - Arn
firehoseDeliveryRoleArn:
  Description: Firehose Delivery Role ARN
  Value:
    Fn::GetAtt:
    - FirehoseDeliveryIAMRole
    - Arn

我希望成功创建交付流。任何帮助,将不胜感激。

谢谢

4

1 回答 1

0

要检查的两件事:

  1. 我想知道 ACCOUNT_NUMBER 是否被正确设置和解释。您可以通过删除整个Condition语句作为测试来检查这一点。作为测试(不用于生产)删除以下内容并查看它是否有效
      Condition:
        StringEquals:
          sts:ExternalId: ACCOUNT_NUMBER
  1. 您创建的用户是否有权创建 IAM 策略和角色?你说

    我尝试创建一个新用户,但它仍然给了我同样的错误

同样,仅对于测试/调试,您可以为该用户提供以下策略并查看它是否有效

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "iam:*",
    "Resource": "*"
  }
}

如果这是问题,请使用来确定执行 CloudFormation 的 IAM 用户所需的实际策略

于 2019-10-03T20:31:33.533 回答