使用 cloudformation 时,Kinesis Firehose Delivery Stream 无法承担角色
Kinesis Firehose Delivery Stream is unable to assume role while using cloudformation
我正在编写一个 cloudformation 模板来创建 Kinesis Firehose Delivery Stream 并将数据发送到 S3 存储桶。源流是 Kinesis Steam。它创建了 s3 存储桶、策略和角色,但是当它尝试创建 Kinesis Firehose Delivery Stream 时,它失败说无法承担角色
经过一些研究,我发现不应该使用 root 帐户创建 Delivery。我尝试创建一个新用户,但它仍然给了我同样的错误。
# creates the Kinesis Stream
KinesisStream:
Type: AWS::Kinesis::Stream
Properties:
Name: HealthApp
RetentionPeriodHours: 24
ShardCount: 8
# creates the firehose delivery stream
KinesisFirehoseDeliveryStream:
Type: AWS::KinesisFirehose::DeliveryStream
Properties:
DeliveryStreamName: HealthAppFirehose
DeliveryStreamType: KinesisStreamAsSource
KinesisStreamSourceConfiguration:
KinesisStreamARN:
Fn::GetAtt:
- KinesisStream
- Arn
RoleARN:
Fn::GetAtt:
- FirehoseDeliveryIAMRole
- Arn
S3DestinationConfiguration:
BucketARN: !GetAtt MyS3Bucket.Arn
Prefix: cloudformation-test/kinesis-fh
BufferingHints:
IntervalInSeconds: 60
SizeInMBs: 100
CloudWatchLoggingOptions:
Enabled: 'false'
CompressionFormat: UNCOMPRESSED
RoleARN:
Fn::GetAtt:
- FirehoseDeliveryIAMRole
- Arn
DependsOn:
- FirehoseDeliveryIAMPolicy
FirehoseDeliveryIAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
Effect: Allow
Principal:
Service: firehose.amazonaws.com
Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId: ACCOUNT_NUMBER
FirehoseDeliveryIAMPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: HealthAppPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:AbortMultipartUpload
- s3:GetBucketLocation
- s3:GetObject
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:PutObject
Resource:
- arn:aws:s3:::health-app-bucket/cloudformation-test/kinesis-fh*
- Effect: Allow
Action:
- kinesis:DescribeStream
- kinesis:GetShardIterator
- kinesis:GetRecords
Resource:
Fn::GetAtt:
- KinesisStream
- Arn
Roles:
- Ref: FirehoseDeliveryIAMRole
DependsOn:
- KinesisStream
Outputs:
kinesisStreamArn:
Description: Kinesis Stream ARN
Value:
Fn::GetAtt:
- KinesisStream
- Arn
firehoseDeliveryStreamArn:
Description: Firehose Delivery Stream ARN
Value:
Fn::GetAtt:
- KinesisFirehoseDeliveryStream
- Arn
firehoseDeliveryRoleArn:
Description: Firehose Delivery Role ARN
Value:
Fn::GetAtt:
- FirehoseDeliveryIAMRole
- Arn
我希望成功创建传输流。任何帮助,将不胜感激。
谢谢
要检查两件事:
- 我想知道 ACCOUNT_NUMBER 的设置和解释是否正确。您可以通过删除整个
Condition
语句作为测试来检查这一点。作为测试(不用于生产)删除以下内容并查看它是否有效
Condition:
StringEquals:
sts:ExternalId: ACCOUNT_NUMBER
- 您创建的用户是否有权创建 IAM 策略和角色?你说
I tried creating a new user but it still gave me the same error
同样,只有 testing/debugging 您可以为该用户提供以下策略,看看它是否有效
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
}
如果这是问题所在,请使用 this 确定执行 CloudFormation 的 IAM 用户所需的实际策略
我正在编写一个 cloudformation 模板来创建 Kinesis Firehose Delivery Stream 并将数据发送到 S3 存储桶。源流是 Kinesis Steam。它创建了 s3 存储桶、策略和角色,但是当它尝试创建 Kinesis Firehose Delivery Stream 时,它失败说无法承担角色
经过一些研究,我发现不应该使用 root 帐户创建 Delivery。我尝试创建一个新用户,但它仍然给了我同样的错误。
# creates the Kinesis Stream
KinesisStream:
Type: AWS::Kinesis::Stream
Properties:
Name: HealthApp
RetentionPeriodHours: 24
ShardCount: 8
# creates the firehose delivery stream
KinesisFirehoseDeliveryStream:
Type: AWS::KinesisFirehose::DeliveryStream
Properties:
DeliveryStreamName: HealthAppFirehose
DeliveryStreamType: KinesisStreamAsSource
KinesisStreamSourceConfiguration:
KinesisStreamARN:
Fn::GetAtt:
- KinesisStream
- Arn
RoleARN:
Fn::GetAtt:
- FirehoseDeliveryIAMRole
- Arn
S3DestinationConfiguration:
BucketARN: !GetAtt MyS3Bucket.Arn
Prefix: cloudformation-test/kinesis-fh
BufferingHints:
IntervalInSeconds: 60
SizeInMBs: 100
CloudWatchLoggingOptions:
Enabled: 'false'
CompressionFormat: UNCOMPRESSED
RoleARN:
Fn::GetAtt:
- FirehoseDeliveryIAMRole
- Arn
DependsOn:
- FirehoseDeliveryIAMPolicy
FirehoseDeliveryIAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
Effect: Allow
Principal:
Service: firehose.amazonaws.com
Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId: ACCOUNT_NUMBER
FirehoseDeliveryIAMPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: HealthAppPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:AbortMultipartUpload
- s3:GetBucketLocation
- s3:GetObject
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:PutObject
Resource:
- arn:aws:s3:::health-app-bucket/cloudformation-test/kinesis-fh*
- Effect: Allow
Action:
- kinesis:DescribeStream
- kinesis:GetShardIterator
- kinesis:GetRecords
Resource:
Fn::GetAtt:
- KinesisStream
- Arn
Roles:
- Ref: FirehoseDeliveryIAMRole
DependsOn:
- KinesisStream
Outputs:
kinesisStreamArn:
Description: Kinesis Stream ARN
Value:
Fn::GetAtt:
- KinesisStream
- Arn
firehoseDeliveryStreamArn:
Description: Firehose Delivery Stream ARN
Value:
Fn::GetAtt:
- KinesisFirehoseDeliveryStream
- Arn
firehoseDeliveryRoleArn:
Description: Firehose Delivery Role ARN
Value:
Fn::GetAtt:
- FirehoseDeliveryIAMRole
- Arn
我希望成功创建传输流。任何帮助,将不胜感激。
谢谢
要检查两件事:
- 我想知道 ACCOUNT_NUMBER 的设置和解释是否正确。您可以通过删除整个
Condition
语句作为测试来检查这一点。作为测试(不用于生产)删除以下内容并查看它是否有效
Condition:
StringEquals:
sts:ExternalId: ACCOUNT_NUMBER
- 您创建的用户是否有权创建 IAM 策略和角色?你说
I tried creating a new user but it still gave me the same error
同样,只有 testing/debugging 您可以为该用户提供以下策略,看看它是否有效
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
}
如果这是问题所在,请使用 this 确定执行 CloudFormation 的 IAM 用户所需的实际策略