AWS CFT 如何将列表参数附加到静态字符串选项列表

Question

正在尝试创建允许相同账户角色和跨账户角色的存储桶策略。

这里CicdDeploymentRoleArn是一个跨账户角色arns的列表。

Parameters:
  CicdDeploymentRoleArn:
    Type: CommaDelimitedList
    Description: >-
      The ARN of the CICD deployment role that will need access to the S3
    Default: >-
      arn:aws:iam::xxx:role/preprod,arn:aws:iam::xxx:role/prod

  InfraBucketPolicy:
    Properties:
      Bucket: !Ref InfraBucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
              - "s3:*"
            Effect: Allow
            Principal:
              AWS:
                - !Sub "arn:aws:iam::${AWS::AccountId}:role/human-role/PowerUser2"
                - !Ref CicdDeploymentRoleArn # How to refer list here ?
            Resource:
              - !Join [ "", [ !GetAtt InfraBucket.Arn, "/*" ] ]
    Type: "AWS::S3::BucketPolicy"

Answer 1

您可以结合使用 Split 和 Join（必须注意缩进）：

  InfraBucketPolicy:
    Properties:
      Bucket: !Ref InfraBucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
              - "s3:*"
            Effect: Allow
            Principal:
              AWS:
                !Split
                   - ","
                   - !Join
                      - ","
                      - - !Sub "arn:aws:iam::${AWS::AccountId}:role/human-role/PowerUser2"
                        - !Join [",", !Ref CicdDeploymentRoleArn]              
            Resource:
              - !Join [ "", [ !GetAtt InfraBucket.Arn, "/*" ] ]
    Type: "AWS::S3::BucketPolicy"

AWS CFT 如何将列表参数附加到静态字符串选项列表

AWS CFT How to append list parameter to list of static string options

amazon-web-services

amazon-cloudformation

devops