创建 IAM 角色时出错 - 属性 PolicyDocument 的值必须是一个对象
Error creating IAM Role - Value of property PolicyDocument must be an object
我正在创建一个 IAM 角色,以便将日志从一个堆栈发送到另一个堆栈中的运动流。
当我添加权限策略时,它失败并显示错误:
"Value of property PolicyDocument must be an object".
这是我的 cloudformation.template.yml :
KinesisRole:
Type: AWS::IAM::Role
Properties:
RoleName: {'Fn::Sub': 'Kinesis-Role-${AWS::Region}'}
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [logs.amazonaws.com]
Action: ['sts:AssumeRole']
Policies:
- PolicyName: KinesisPolicy
PolicyDocument:
- Version: '2017-10-17'
Statement:
- Action: ['kinesis:PutRecord']
Effect: Allow
Resource: '*'
您当前的 PolicyDocument 是 Version 前面的 - 对象列表。另外你的 Version 是错误的。所以应该是:
KinesisRole:
Type: AWS::IAM::Role
Properties:
RoleName: {'Fn::Sub': 'Kinesis-Role-${AWS::Region}'}
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [logs.amazonaws.com]
Action: ['sts:AssumeRole']
Policies:
- PolicyName: KinesisPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action: ['kinesis:PutRecord']
Effect: Allow
Resource: '*'
我正在创建一个 IAM 角色,以便将日志从一个堆栈发送到另一个堆栈中的运动流。 当我添加权限策略时,它失败并显示错误:
"Value of property PolicyDocument must be an object".
这是我的 cloudformation.template.yml :
KinesisRole:
Type: AWS::IAM::Role
Properties:
RoleName: {'Fn::Sub': 'Kinesis-Role-${AWS::Region}'}
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [logs.amazonaws.com]
Action: ['sts:AssumeRole']
Policies:
- PolicyName: KinesisPolicy
PolicyDocument:
- Version: '2017-10-17'
Statement:
- Action: ['kinesis:PutRecord']
Effect: Allow
Resource: '*'
您当前的 PolicyDocument 是 Version 前面的 - 对象列表。另外你的 Version 是错误的。所以应该是:
KinesisRole:
Type: AWS::IAM::Role
Properties:
RoleName: {'Fn::Sub': 'Kinesis-Role-${AWS::Region}'}
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [logs.amazonaws.com]
Action: ['sts:AssumeRole']
Policies:
- PolicyName: KinesisPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action: ['kinesis:PutRecord']
Effect: Allow
Resource: '*'