如何允许 IAM 角色通过 cloudformation 承担另一个 IAM 角色?
how to allow IAM role to assume another IAM role, via cloudformation?
通过 cloudformation 添加一个 IAM 角色,我想在其中添加一个信任策略,这样来自另一个 aws 账户的另一个 IAM 角色 (arn:aws:iam::123456789:role/otherrole) 可以承担我的角色.但我收到错误消息“已禁止字段资源(服务:AmazonIdentityManagement;状态代码:400 .....
AWSTemplateFormatVersion: "2010-09-09"
Resources:
SomeRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Resource: arn:aws:iam::123456789:role/otherrole
Action:
- 'sts:AssumeRole'
Path: /
Policies:
...
AssumeRolePolicyDocument没有Resource。应该是 Principal:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
SomeRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: arn:aws:iam::123456789:role/otherrole
Action:
- 'sts:AssumeRole'
Path: /
Policies:
...
通过 cloudformation 添加一个 IAM 角色,我想在其中添加一个信任策略,这样来自另一个 aws 账户的另一个 IAM 角色 (arn:aws:iam::123456789:role/otherrole) 可以承担我的角色.但我收到错误消息“已禁止字段资源(服务:AmazonIdentityManagement;状态代码:400 .....
AWSTemplateFormatVersion: "2010-09-09"
Resources:
SomeRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Resource: arn:aws:iam::123456789:role/otherrole
Action:
- 'sts:AssumeRole'
Path: /
Policies:
...
AssumeRolePolicyDocument没有Resource。应该是 Principal:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
SomeRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: arn:aws:iam::123456789:role/otherrole
Action:
- 'sts:AssumeRole'
Path: /
Policies:
...