如何通过 cli 命令创建具有 "Another AWS account" 角色类型的 "role"?
how to create "role" with "Another AWS account" role type by cli command?
我正在尝试在 windows 中编写批处理文件以通过 CLI 命令 (actual example) 执行以下步骤,但我不知道如何创建角色并设置 cli 命令"Another AWS account" 角色类型。你介意帮帮我吗?
In the navigation pane on the left, choose Roles and then choose
Create role.
Choose the Another AWS account role type.
For Account ID, type the Development account ID.
This tutorial uses the example account ID 111111111111 for the
Development account. You should use a valid account ID. If you use an
invalid account ID, such as 111111111111, IAM does not let you create
the new role.
For now you do not need to require an external ID, or require users to
have multi-factor authentication (MFA) in order to assume the role. So
leave these options unselected. For more information, see Using
Multi-Factor Authentication (MFA) in AWS
Choose Next: Permissions to set the permissions that will be
associated with the role.
我创建角色的代码:
call aws iam create-role --role-name xxx-S3-Role --assume-role-policy-document file://trustpolicy.json
我的trustpolicy.json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::222222075333:role/xxx-S3-Role"
}]
}
我收到以下错误:
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: Has prohibited field Resource
我通过更改两个部分解决了我的问题。
1- 通过修复策略路径
aws iam create-role --role-name xxx-S3-Role --assume-role-policy-document file://c:\foldername\trustpolicy.json
2- 我通过对我从控制台创建的策略进行逆向工程来更改策略的格式,格式如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222222075333:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
我正在尝试在 windows 中编写批处理文件以通过 CLI 命令 (actual example) 执行以下步骤,但我不知道如何创建角色并设置 cli 命令"Another AWS account" 角色类型。你介意帮帮我吗?
In the navigation pane on the left, choose Roles and then choose Create role.
Choose the Another AWS account role type.
For Account ID, type the Development account ID.
This tutorial uses the example account ID 111111111111 for the Development account. You should use a valid account ID. If you use an invalid account ID, such as 111111111111, IAM does not let you create the new role.
For now you do not need to require an external ID, or require users to have multi-factor authentication (MFA) in order to assume the role. So leave these options unselected. For more information, see Using Multi-Factor Authentication (MFA) in AWS
Choose Next: Permissions to set the permissions that will be associated with the role.
我创建角色的代码:
call aws iam create-role --role-name xxx-S3-Role --assume-role-policy-document file://trustpolicy.json
我的trustpolicy.json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::222222075333:role/xxx-S3-Role"
}]
}
我收到以下错误:
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: Has prohibited field Resource
我通过更改两个部分解决了我的问题。
1- 通过修复策略路径
aws iam create-role --role-name xxx-S3-Role --assume-role-policy-document file://c:\foldername\trustpolicy.json
2- 我通过对我从控制台创建的策略进行逆向工程来更改策略的格式,格式如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222222075333:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}