如何使用 CDK Python 创建包含多个语句的 IAM PolicyDocument?
How to create an IAM PolicyDocument with multiple statements using CDK Python?
我正在尝试使用 cdk 中的 python 编写包含多个语句的 IAM PolicyDocument,但我无法在任何地方找到任何示例。
这就是我尝试使用 python 在 CDK 中编写的 YAML 中的内容。
Lambda:
Type: AWS::IAM::Role
Properties:
RoleName:
Fn::Sub: LambdaRole
Policies:
- PolicyName:
Fn::Sub: LambdaPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ADPermissions
Effect: Allow
Action:
- ssm:SendCommand
- ec2:DescribeInstances
- ds:DescribeDirectories
- ssm:GetParameter
- ssm:PutParameter
- ssm:StartAutomationExecution
- dynamodb:Scan
- dynamodb:Query
- sts:AssumeRole
Resource: "*"
- Sid: SQS
Effect: Allow
Action:
- sqs:SendMessage
Resource:"*"
- Sid: CloudWatch
Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource:"*"
我基于 YAML 编写了以下内容,但它给了我错误。非常感谢对此的任何帮助。
RolePolicy.add_to_policy(
iam.PolicyDocument(
statements = [
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'ssm:SendCommand',
'ec2:DescribeInstances',
'ds:DescribeDirectories',
'ssm:GetParameter',
'ssm:PutParameter',
'ssm:StartAutomationExecution',
'sts:AssumeRole'
],
resources = ['*']
)
]
),
iam.PolicyDocument(
statements = [
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'sqs:SendMessage'
],
resources = ['*']
)
]
),
iam.PolicyDocument(
statements = [
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'logs:CreateLogGroup',
'logs:CreateLogStream',
'logs:PutLogEvents'
],
resources = ['*']
)
]
)
)
那个特定的 API 只接受一个语句,例如
RolePolicy.add_to_policy(
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'ssm:SendCommand',
'ec2:DescribeInstances',
'ds:DescribeDirectories',
'ssm:GetParameter',
'ssm:PutParameter',
'ssm:StartAutomationExecution',
'sts:AssumeRole'
],
resources = ['*']
)
)
假设 RolePolicy 是 PolicyDocument 类型,那么您必须对每个策略多次调用它。
或者,您可以调查其他 API 之一,它允许您一次将整个策略附加到一个角色:https://docs.aws.amazon.com/cdk/api/latest/python/aws_cdk.aws_iam/Role.html#aws_cdk.aws_iam.Role.attach_inline_policy or https://docs.aws.amazon.com/cdk/api/latest/python/aws_cdk.aws_iam/Role.html#aws_cdk.aws_iam.Role.add_managed_policy
这里的结构更像是:
Role.attach_inline_policy(
iam.Policy(self, 'Policy',
statements = [
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'ssm:SendCommand',
'ec2:DescribeInstances',
'ds:DescribeDirectories',
'ssm:GetParameter',
'ssm:PutParameter',
'ssm:StartAutomationExecution',
'sts:AssumeRole'
],
resources = ['*']
),
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'sqs:SendMessage'
],
resources = ['*']
),
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'logs:CreateLogGroup',
'logs:CreateLogStream',
'logs:PutLogEvents'
],
resources = ['*']
)
]
)
)
我正在尝试使用 cdk 中的 python 编写包含多个语句的 IAM PolicyDocument,但我无法在任何地方找到任何示例。
这就是我尝试使用 python 在 CDK 中编写的 YAML 中的内容。
Lambda:
Type: AWS::IAM::Role
Properties:
RoleName:
Fn::Sub: LambdaRole
Policies:
- PolicyName:
Fn::Sub: LambdaPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ADPermissions
Effect: Allow
Action:
- ssm:SendCommand
- ec2:DescribeInstances
- ds:DescribeDirectories
- ssm:GetParameter
- ssm:PutParameter
- ssm:StartAutomationExecution
- dynamodb:Scan
- dynamodb:Query
- sts:AssumeRole
Resource: "*"
- Sid: SQS
Effect: Allow
Action:
- sqs:SendMessage
Resource:"*"
- Sid: CloudWatch
Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource:"*"
我基于 YAML 编写了以下内容,但它给了我错误。非常感谢对此的任何帮助。
RolePolicy.add_to_policy(
iam.PolicyDocument(
statements = [
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'ssm:SendCommand',
'ec2:DescribeInstances',
'ds:DescribeDirectories',
'ssm:GetParameter',
'ssm:PutParameter',
'ssm:StartAutomationExecution',
'sts:AssumeRole'
],
resources = ['*']
)
]
),
iam.PolicyDocument(
statements = [
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'sqs:SendMessage'
],
resources = ['*']
)
]
),
iam.PolicyDocument(
statements = [
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'logs:CreateLogGroup',
'logs:CreateLogStream',
'logs:PutLogEvents'
],
resources = ['*']
)
]
)
)
那个特定的 API 只接受一个语句,例如
RolePolicy.add_to_policy(
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'ssm:SendCommand',
'ec2:DescribeInstances',
'ds:DescribeDirectories',
'ssm:GetParameter',
'ssm:PutParameter',
'ssm:StartAutomationExecution',
'sts:AssumeRole'
],
resources = ['*']
)
)
假设 RolePolicy 是 PolicyDocument 类型,那么您必须对每个策略多次调用它。
或者,您可以调查其他 API 之一,它允许您一次将整个策略附加到一个角色:https://docs.aws.amazon.com/cdk/api/latest/python/aws_cdk.aws_iam/Role.html#aws_cdk.aws_iam.Role.attach_inline_policy or https://docs.aws.amazon.com/cdk/api/latest/python/aws_cdk.aws_iam/Role.html#aws_cdk.aws_iam.Role.add_managed_policy
这里的结构更像是:
Role.attach_inline_policy(
iam.Policy(self, 'Policy',
statements = [
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'ssm:SendCommand',
'ec2:DescribeInstances',
'ds:DescribeDirectories',
'ssm:GetParameter',
'ssm:PutParameter',
'ssm:StartAutomationExecution',
'sts:AssumeRole'
],
resources = ['*']
),
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'sqs:SendMessage'
],
resources = ['*']
),
iam.PolicyStatement(
effect = iam.Effect.ALLOW,
actions = [
'logs:CreateLogGroup',
'logs:CreateLogStream',
'logs:PutLogEvents'
],
resources = ['*']
)
]
)
)