Fatal编程技术网
  • amazon-web-services/
  • Amazon web services 将语句添加到“无服务器”中;“关键政策”;论KMS资源

Amazon web services 将语句添加到“无服务器”中;“关键政策”;论KMS资源

amazon-web-services

Amazon web services 将语句添加到“无服务器”中;“关键政策”;论KMS资源,amazon-web-services,serverless-framework,aws-serverless,Amazon Web Services,Serverless Framework,Aws Serverless,我有一个无服务器应用程序,它创建KMS资源: # serverless.yml 1 resources: Resources: SomeLambdaRole: Type: AWS::IAM::Role AnotherLambdaRole: Type: AWS::IAM::Role TheKey: Type: AWS::KMS::Key DeletionPolicy: Retain Properties:

我有一个无服务器应用程序,它创建KMS资源:

# serverless.yml 1
resources:
  Resources:
    SomeLambdaRole:
      Type: AWS::IAM::Role
    AnotherLambdaRole:
      Type: AWS::IAM::Role
    TheKey:
      Type: AWS::KMS::Key
      DeletionPolicy: Retain
      Properties:
        Description: The key
        Enabled: true
        KeyPolicy:
          Version: '2012-10-17'
          Statement:
            - Sid: Allow use of the key
              Effect: Allow
              Principal:
                AWS:
                  - Fn::GetAtt: [SomeLambdaRole, Arn]
                  - Fn::GetAtt: [AnotherLambdaRole, Arn]
              Action:
                - 'kms:Encrypt'
                - 'kms:Decrypt'
                - 'kms:ReEncrypt'
                - 'kms:GenerateDataKey*'
              Resource: '*'
从另一个创建了一些角色的无服务器应用程序中,我希望为这些新角色授予与
SomeLambdaRole
另一个lambdarole
对“TheKey”资源相同的权限

这是可能的还是我应该尝试另一种方法

# serverless.yml 2
resources:
  Resources:
    YetAnotherLambdaRole:
      Type: AWS::IAM::Role
# Do something to let this role have the same permission as "SomeLambdaRole" and "AnotherLambdaRole" for the "TheKey" Resource