CFn:使用 !If 将多个 Principals 添加到语句中

CFn: Use !If to add multiple Principals to a statement

我有以下定义 IAM 策略的模板,但该策略不起作用:

      RoleName: 'ABCRole'
      AssumeRolePolicyDocument:
        Statement:
          - Action: ['sts:AssumeRole']
            Effect: Allow
            Principal:
              AWS:
              - 1234567890 # Some AWS account
              - !If
                - !And
                  - !Condition Condition1
                  - !Condition Condition2
                - arn:aws:iam::11111111111111:role/ABCDE_Role # first role
                - arn:aws:iam::22222222222222:role/ABCDE_Role # second role (different account number)
                - !Ref AWS:NoValue

我正在努力实现这一点:当 Condition1Condition2 都为真时,我将能够附加 arn:aws:iam::11111111111111:role/ABCDE_Rolearn:aws:iam::22222222222222:role/ABCDE_Role 作为两个额外的主体。否则,什么也不做——只有 1234567890 作为唯一的主体。

请注意,arn:aws:iam::11111111111111:role/ABCDE_Rolearn:aws:iam::22222222222222:role/ABCDE_Role 只是与 aws 帐户不同,所以也许我可以使用 !Sub 来替换帐号?有点像:

for account in [11111111111111, 22222222222222]:
 !Sub arn:aws:iam::${account}:role/ABCDE_Role 

我应该如何修改上面的模板?提前致谢!

我认为是因为 !If 条件所期望的格式,遵循 aws 的文档,格式为:

!If [condition_name, value_if_true, value_if_false]

如果你检查你的模板,你有四个元素,而不是三个。

此外,伪参数是(双:):

AWS::NoValue

因此,当条件为 True 时添加您需要的两个帐户的可能解决方案可能是尝试添加一个新条件,将您已有的条件 1 和条件 2 与 !And 函数结合起来,如下所示:

Conditions:
  Condition1: your condition
  Condition2: your condition
  ConditionCombined: !And [!Condition Condition1, !Condition Condition2]
Resources:
  Role1:
    Type: AWS::IAM::Role
    Properties: 
      RoleName: 'ABCRole'
      AssumeRolePolicyDocument:
        Statement:
          - Action: ['sts:AssumeRole']
            Effect: Allow
            Principal:
              AWS:
              - 1234567890 # Some AWS account
              - !If
                - ConditionCombined
                - arn:aws:iam::11111111111111:role/ABCDE_Role # first role
                - !Ref AWS::NoValue
              - !If
                - ConditionCombined
                - arn:aws:iam::22222222222222:role/ABCDE_Role # second role (different account number)
                - !Ref AWS::NoValue