Amazon web services 如何在云信息中引用AWS管理的策略arn?
我将使用cloudformation创建一个IAM用户,并需要附加一个AWS管理策略Amazon web services 如何在云信息中引用AWS管理的策略arn?,amazon-web-services,amazon-cloudformation,amazon-iam,Amazon Web Services,Amazon Cloudformation,Amazon Iam,我将使用cloudformation创建一个IAM用户,并需要附加一个AWS管理策略AWSAPSyncInvokeelAccess。我想我应该使用如下代码中的托管策略: Resources: publisherUser: Type: AWS::IAM::User Properties: UserName: userName ManagedPolicyArns: - !Ref AWSAppSyncInvokeFullAccess
AWSAPSyncInvokeelAccess
。我想我应该使用如下代码中的托管策略:
Resources:
publisherUser:
Type: AWS::IAM::User
Properties:
UserName: userName
ManagedPolicyArns:
- !Ref AWSAppSyncInvokeFullAccess
- !Ref AWSLambdaBasicExecutionRole
但它不起作用,因为
awsapsyncInvokeelAccess
来自AWS,而不是来自此模板。引用策略的正确方法是什么?这些是现有的AWS管理策略。因此,您应该使用他们的完整ARN,您可以从IAM控制台获得:
Resources:
publisherUser:
Type: AWS::IAM::User
Properties:
UserName: userName
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSAppSyncInvokeFullAccess
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
更新
或者使其独立于分区:
Resources:
publisherUser:
Type: AWS::IAM::User
Properties:
UserName: userName
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AWSAppSyncInvokeFullAccess"
- !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
这些是现有的AWS管理策略。因此,您应该使用他们的完整ARN,您可以从IAM控制台获得:
Resources:
publisherUser:
Type: AWS::IAM::User
Properties:
UserName: userName
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSAppSyncInvokeFullAccess
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
更新
或者使其独立于分区:
Resources:
publisherUser:
Type: AWS::IAM::User
Properties:
UserName: userName
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AWSAppSyncInvokeFullAccess"
- !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
psuedoparameter使其分区不可知,psuedoparameter使其分区不可知