Amazon web services AWS云信息IAM策略与资源
我想做的是创建一个IAM策略,该策略只允许访问某个S3 bucket,我想将该S3 bucket作为参数传递 根据AWS的文档,IAM策略云信息模板是这样的:Amazon web services AWS云信息IAM策略与资源,amazon-web-services,amazon-cloudformation,Amazon Web Services,Amazon Cloudformation,我想做的是创建一个IAM策略,该策略只允许访问某个S3 bucket,我想将该S3 bucket作为参数传递 根据AWS的文档,IAM策略云信息模板是这样的: "RolePolicies": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "root", "PolicyDocument": { "Version" : "2012-10-17",
"RolePolicies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
},
问题是,如何将“资源”作为参数?该参数应该是S3存储桶的arn(例如arn:aws:S3::S3存储桶名称)。我是简单地输入一个字符串类型参数并键入整个arn,还是类似于AWS::S3::Bucket类型?不管怎样,我都不确定在“资源”后面键入什么
谢谢 您可以与或一起使用
例如:
"Parameters" : {
"BucketName" : {
"Type" : "String",
"Description" : "S3 Bucket name."
}
}
使用Ref和Fn::Join
...
"Resource": { "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "BucketName"} ] ] }
...
带Fn::Sub:
...
"Resource": { "Fn::Sub": [ "arn:aws:s3:::${BucketName}" ] }
...
有关模板参数的更多信息聚会晚了一点 如果您的bucket是在参考资料中声明的,如下所示:
...
Resources:
MyBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: my-bucket-name
...
…然后您可以使用Fn::GetAtt轻松地引用它的ARN:
Resource:
Fn::GetAtt: [ MyBucket, "Arn" ]