Amazon web services AWS支持资源之间的循环依赖关系
我正在尝试创建sagemaker角色,作为信任主体,我需要服务sagemaker以及该角色。问题是我得到以下错误: 调用CreateChangeSet操作时出错(ValidationError):资源之间的循环依赖:[SagemakerRole]Amazon web services AWS支持资源之间的循环依赖关系,amazon-web-services,amazon-cloudformation,amazon-iam,Amazon Web Services,Amazon Cloudformation,Amazon Iam,我正在尝试创建sagemaker角色,作为信任主体,我需要服务sagemaker以及该角色。问题是我得到以下错误: 调用CreateChangeSet操作时出错(ValidationError):资源之间的循环依赖:[SagemakerRole] sagemakerole: 类型:“AWS::IAM::角色” 特性: RoleName:sagemaker角色 假设政策文件: 版本:2012-10-17 声明: -效果:允许 负责人: 服务: -sagemaker.amazonaws.com 行动
sagemakerole:
类型:“AWS::IAM::角色”
特性:
RoleName:sagemaker角色
假设政策文件:
版本:2012-10-17
声明:
-效果:允许
负责人:
服务:
-sagemaker.amazonaws.com
行动:“sts:假设角色”
-效果:允许
负责人:
美国焊接学会:
- !萨格马克罗酒店
行动:“sts:假设角色”
路径:/
ManagedPolicyArns:
-arn:aws:iam::aws:policy/AmazonS3FullAccess
-arn:aws:iam::aws:policy/AmazonSManageMakerFullAccess
我需要通过以下原则“arn:aws:iam:${aws::AccountId}:role/sagemaker role”我认为唯一的方法是通过两个阶段:
Resources:
SagemakerRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: sagemaker-role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- sagemaker.amazonaws.com
Action: 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3FullAccess
- arn:aws:iam::aws:policy/AmazonSageMakerFullAccess
LambdaBasicExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Path: /
Policies:
- PolicyName: UpdateAssumePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- iam:UpdateAssumeRolePolicy
- iam:GetRole
Resource: !GetAtt SagemakerRole.Arn
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
MyCustomResource:
Type: Custom::RoleAssumesItself
Properties:
ServiceToken: !GetAtt MyCustomFunction.Arn
RoleName: !Ref SagemakerRole
MyCustomFunction:
Type: AWS::Lambda::Function
Properties:
Handler: index.lambda_handler
Timeout: 10
Role: !GetAtt 'LambdaBasicExecutionRole.Arn'
Runtime: python3.7
Code:
ZipFile: |
import json
import cfnresponse
import boto3
iam = boto3.resource('iam')
def lambda_handler(event, context):
print(json.dumps(event, default=str))
try:
responseData = {}
if event['RequestType'] in ["Create"]:
role_name = event['ResourceProperties']['RoleName']
role = iam.Role(role_name)
current_permissions = role.assume_role_policy_document
print(current_permissions)
current_permissions['Statement'].append(
{'Effect': 'Allow',
'Principal':
{'AWS': role.arn},
'Action': 'sts:AssumeRole'
})
#print(current_permissions)
response = role.AssumeRolePolicy().update(
PolicyDocument=json.dumps(current_permissions))
print(response)
cfnresponse.send(event, context,
cfnresponse.SUCCESS, responseData)
else:
print('Unexpected RequestType!')
cfnresponse.send(event, context,
cfnresponse.SUCCESS, responseData)
except Exception as err:
print(str(err))
responseData = {"Data": str(err)}
cfnresponse.send(event,context,
cfnresponse.FAILED,responseData)
return
这是SM需要的吗?我让docker容器运行R(自带容器),在R代码中,我需要假设这个角色能够将数据存储到S3。顺便说一句,当我在控制台中编写信任策略时,这是有效的。我想将其保存为cloudformation脚本,但我不知道如何保存。而不是
!请参考SagemakerRole
,然后再试一次!子'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/sagemaker role'@jarmod它将不起作用,因为在创建策略时它会检查角色是否存在。使用时出现错误消息!用于构建角色arn的子函数这可能是更新角色信任策略的另一种方法。