Amazon web services 云形成策略生成不正确
云形成不会生成模板中描述的策略 我想在我的角色中创建/重新创建此策略Amazon web services 云形成策略生成不正确,amazon-web-services,amazon-cloudformation,amazon-iam,Amazon Web Services,Amazon Cloudformation,Amazon Iam,云形成不会生成模板中描述的策略 我想在我的角色中创建/重新创建此策略 { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudWatch:ListDashboards"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "cloudwatch:GetDashboard",
"Resource": "arn:aws:cloudwatch::xxxx:dashboard/test"
}
]
}
这是我的云形成模板(请参阅策略):
但是,这不会生成所需的策略。我得到以下输出缺少我想要的策略的第一部分,为什么
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "cloudwatch:GetDashboard",
"Resource": "arn:aws:cloudwatch::xxxx:dashboard/Test",
"Effect": "Allow"
}
]
}
您为同一个
语句提供了两个操作
,云形成引擎使用了后者,覆盖了cloudWatch:ListDashboards
由于语句
是一个列表,因此可以编写以下两条语句:
CustomResourceRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName:
!Sub
- Cloudwatch${PolicyCustomName}DashboardAccessPolicy
- { PolicyCustomName: !Ref Tenant }
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: "cloudWatch:ListDashboards"
Resource: '*'
- Effect: Allow
Action: 'cloudwatch:GetDashboard'
Resource: 'arn:aws:cloudwatch::xxxx:dashboard/Test'
RootInstanceProfile:
Type: 'AWS::IAM::InstanceProfile'
Properties:
Path: /
Roles:
- !Ref CustomResourceRole
您为同一个语句提供了两个操作
,云形成引擎使用了后者,覆盖了cloudWatch:ListDashboards
由于语句
是一个列表,因此可以编写以下两条语句:
CustomResourceRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName:
!Sub
- Cloudwatch${PolicyCustomName}DashboardAccessPolicy
- { PolicyCustomName: !Ref Tenant }
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: "cloudWatch:ListDashboards"
Resource: '*'
- Effect: Allow
Action: 'cloudwatch:GetDashboard'
Resource: 'arn:aws:cloudwatch::xxxx:dashboard/Test'
RootInstanceProfile:
Type: 'AWS::IAM::InstanceProfile'
Properties:
Path: /
Roles:
- !Ref CustomResourceRole