问题
I am trying to create a role with embedded policy using cloudformation template :
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"SQSRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "sqs.amazonaws.com" ]
},
"Action": [
"SQS:SendMessage",
"SQS:ReceiveMessage",
"SQS:DeleteMessage",
"SQS:GetQueueUrl"
]
} ]
},
"Path": "/"
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ {
"Ref": "SQSRole"
} ]
}
}
}
}
It gives an error " Invalid principal in policy: "SERVICE":"sqs.amazonaws.com".
I also tried by replacing exact URL of SQS queue : "SERVICE":"sqs.ap-south-1.amazonaws.com/710161973367/CFI-Trace"
Still it gives same error. Not sure what service to specify for sqs.
回答1:
If you're trying to create an IAM role to be assumed by an EC2 instance, you should use this instead:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"SQSRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "SqsAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"SQS:SendMessage",
"SQS:ReceiveMessage",
"SQS:DeleteMessage",
"SQS:GetQueueUrl"
],
"Resource": [
"*"
]
}
]
}
}
]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "SQSRole"
}
]
}
}
}
}
Note that the service that will assume your IAM role is now ec2.amazonaws.com. Also, the EC2 service is now only allowed to assume your IAM role (via sts:AssumeRole). Finally, all your sqs:* Actions have been moved into the IAM Role's Policies attribute.
来源:https://stackoverflow.com/questions/41430768/cloudformation-template-to-create-a-role-for-sqs