Amazon cloudformation 如何通过CloudFormation获取AWS KMS密钥Arn并将其传递到IAM角色内联策略中?
我试图通过CloudFormation模板创建IAM角色和KMS密钥。我的要求是,首先我需要创建KMS密钥,获取密钥的ARN,然后在创建IAM角色时,通过该KMS ARN。这就是我的政策:Amazon cloudformation 如何通过CloudFormation获取AWS KMS密钥Arn并将其传递到IAM角色内联策略中?,amazon-cloudformation,amazon-iam,aws-kms,Amazon Cloudformation,Amazon Iam,Aws Kms,我试图通过CloudFormation模板创建IAM角色和KMS密钥。我的要求是,首先我需要创建KMS密钥,获取密钥的ARN,然后在创建IAM角色时,通过该KMS ARN。这就是我的政策: Resources: myKey: Type: AWS::KMS::Key Properties: Description: Key for encrypting S3 Buckets Enabled: TRUE KeyPolicy: V
Resources:
myKey:
Type: AWS::KMS::Key
Properties:
Description: Key for encrypting S3 Buckets
Enabled: TRUE
KeyPolicy:
Version: '2012-10-17'
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::11111111:root
Action: kms:*
Resource: '*'
KeyUsage: ENCRYPT_DECRYPT
myAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/key_for_s3_encrytpion
TargetKeyId:
Ref: myKey
RootRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: 'Lambda-S3-SNS-VPC-Role-cft'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- !Ref AmazonVPCFullAccessARN
- !Ref AmazonS3FullAccessARN
- !Ref AWSLambdaBasicExecutionRoleARN
- !Ref AmazonSNSFullAccessARN
- !Ref AmazonSSMFullAccessARN
Policies:
- PolicyName: kms_cross_account
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- "kms:Decrypt"
- "kms:Encrypt"
- "kms:GenerateDataKey"
- "kms:DescribeKey"
- "kms:ReEncrypt*"
Resource:
- <Here I need to pass KMS Key ARN created above>
但它直接把这个整体作为一个字符串来解决。我用过!GetAtt myKey.Arn以解决iAM角色中的KMS Arn问题。我用过!GetAtt myKey.Arn要在iAM角色中获取KMS Arn,可以使用DependsOn吗?可以使用DependsOn吗?
- !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/key_for_s3_encrytpion'