从 SAM 中的模板创建 IAM 角色

Create IAM role from template in SAM

我正在尝试向现有模板添加 IAM 角色,该模板允许从外部源 (snowflake) 对存储桶进行特定访问

RoleNameForAccess:
    Type: AWS::IAM::Role
    Properties: 
      RoleName: RoleNameForAccess
      Description: A role that allows snowflake to access the bucket
      Policies: 
        - PolicyName: 'SnowflakePolicyRole'
        - PolicyDocument:
          - Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Action: 
                - s3:PutObject
                - s3:GetObject
                - s3:GetObjectVersion
                - s3:DeleteObject
                - s3:DeleteObjectVersion
              Resource: arn:aws:s3:::bucket-name/*
            - Effect: Allow
              Action: s3:ListBucket
              Resource: arn:aws:s3:::bucket-name
              Condition:
                StringLike:
                  s3:prefix:
                  - "*"

但它不断抛出错误:

Property PolicyDocument cannot be empty.

如果我在政策文档中使用破折号,我会收到此错误:

Value of property PolicyDocument must be an object

也许我遗漏了一些语法但找不到它是什么。

谢谢

你有一个很小的错误。您可以有多个策略,因此 Policies 是一个数组。

RoleNameForAccess:
    Type: AWS::IAM::Role
    Properties: 
      RoleName: RoleNameForAccess
      Description: A role that allows snowflake to access the bucket
      Policies: 
        - PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: 
                  - s3:PutObject
                  - s3:GetObject
                  - s3:GetObjectVersion
                  - s3:DeleteObject
                  - s3:DeleteObjectVersion
                Resource: arn:aws:s3:::bucket-name/*
              - Effect: Allow
                Action: s3:ListBucket
                Resource: arn:aws:s3:::bucket-name
                Condition:
                  StringLike:
                    s3:prefix:
                    - "*"

PolicyNameAssumeRolePolicyDocument 丢失了。根据用户指南更新 here。您可以根据您的要求在以下更新的 AssumeRolePolicyDocument 部分中更改 Principal

  RoleNameForAccess:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - arn:aws:iam::111111111111:user/testuser
            Action:
              - 'sts:AssumeRole'
      RoleName: RoleNameForAccess
      Description: A role that allows snowflake to access the bucket
      Policies: 
        - PolicyName: SnowflakePolicyRole
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: 
                  - s3:PutObject
                  - s3:GetObject
                  - s3:GetObjectVersion
                  - s3:DeleteObject
                  - s3:DeleteObjectVersion
                Resource: arn:aws:s3:::bucket-name/*
              - Effect: Allow
                Action: s3:ListBucket
                Resource: arn:aws:s3:::bucket-name
                Condition:
                  StringLike:
                    s3:prefix:
                    - "*"