Amazon web services 云形成策略生成不正确_Amazon Web Services_Amazon Cloudformation_Amazon Iam

Amazon web services 云形成策略生成不正确

amazon-web-services amazon-cloudformation

Amazon web services 云形成策略生成不正确,amazon-web-services,amazon-cloudformation,amazon-iam,Amazon Web Services,Amazon Cloudformation,Amazon Iam,云形成不会生成模板中描述的策略我想在我的角色中创建/重新创建此策略 { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "

云形成不会生成模板中描述的策略

我想在我的角色中创建/重新创建此策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cloudWatch:ListDashboards"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "cloudwatch:GetDashboard",
            "Resource": "arn:aws:cloudwatch::xxxx:dashboard/test"
        }
    ]
}

这是我的云形成模板（请参阅策略）：

但是，这不会生成所需的策略。我得到以下输出缺少我想要的策略的第一部分，为什么

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "cloudwatch:GetDashboard",
            "Resource": "arn:aws:cloudwatch::xxxx:dashboard/Test",
            "Effect": "Allow"
        }
    ]
}

您为同一个

语句提供了两个操作
，云形成引擎使用了后者，覆盖了cloudWatch:ListDashboards

由于语句
是一个列表，因此可以编写以下两条语句：
  CustomResourceRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
              - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName:
            !Sub
              - Cloudwatch${PolicyCustomName}DashboardAccessPolicy
              - { PolicyCustomName: !Ref Tenant }
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: "cloudWatch:ListDashboards"
                Resource: '*'
              - Effect: Allow
                Action: 'cloudwatch:GetDashboard'
                Resource: 'arn:aws:cloudwatch::xxxx:dashboard/Test'
  RootInstanceProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Path: /
      Roles:
        - !Ref CustomResourceRole

您为同一个语句提供了两个操作
，云形成引擎使用了后者，覆盖了cloudWatch:ListDashboards

由于语句
是一个列表，因此可以编写以下两条语句：
  CustomResourceRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
              - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName:
            !Sub
              - Cloudwatch${PolicyCustomName}DashboardAccessPolicy
              - { PolicyCustomName: !Ref Tenant }
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: "cloudWatch:ListDashboards"
                Resource: '*'
              - Effect: Allow
                Action: 'cloudwatch:GetDashboard'
                Resource: 'arn:aws:cloudwatch::xxxx:dashboard/Test'
  RootInstanceProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Path: /
      Roles:
        - !Ref CustomResourceRole