使用 AWS-CDK 创建新的 IAM 角色时创建自定义信任策略
Creating a custom trust policy when creating a new IAM role using AWS-CDK
我正在尝试为我通过 AWS-CDK 创建的 IAM 角色创建自定义信任策略。下面是我要实现的 JSON。不确定 'custom' 是否正确,但它不是新的 iam.ServicePrincipal class.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXX:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "XXXXX"
}
}
}
]
}
我已经尝试在我的构建中执行以下操作,但它一直失败并出现以下错误。
const externalPolicyDocument = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXX:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "XXXX"
}
}
}
]
}
const jsonCustomDocument = iam.PolicyDocument.fromJson(externalPolicyDocument);
new iam.Role(this, `${kinesisData.iamRole}`, {
//assumedBy: new iam.ServicePrincipal(`kinesis.amazonaws.com`),
assumedBy: jsonCustomDocument,
description: `${kinesisData.iamDescription}`,
roleName: `${kinesisData.iamRoleName}`,
inlinePolicies: {
kinesisPolicy: kinesisIAMStatement,
kmsPolicy: kinesisKMS
}
})
下面是我得到的错误:
/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/node_modules/@aws-cdk/aws-iam/lib/policy-statement.js:141
util_1.mergePrincipal(this.principal, fragment.principalJson);
^
TypeError: Cannot read property 'principalJson' of undefined
at AwsStarStatement.addPrincipals (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/node_modules/@aws-cdk/aws-iam/lib/policy-statement.js:141:60)
at createAssumeRolePolicy (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/node_modules/@aws-cdk/aws-iam/lib/role.js:317:15)
at new Role (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/node_modules/@aws-cdk/aws-iam/lib/role.js:64:33)
at new kinesisSinkBuild (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/resources/kinesis_build.js:77:9)
at new MainStack (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/lib/aws-cdk-stack.js:18:26)
at Object.<anonymous> (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/bin/aws-cdk.js:28:1)
at Module._compile (internal/modules/cjs/loader.js:1085:14)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
at Module.load (internal/modules/cjs/loader.js:950:32)
at Function.Module._load (internal/modules/cjs/loader.js:790:12)
Subprocess exited with error 1
定义 Account Principal 条件:
assumedBy: new iam.AccountPrincipal('123456789012').withConditions({
StringEquals: {
'sts:ExternalId': 'XXXX',
},
});
我正在尝试为我通过 AWS-CDK 创建的 IAM 角色创建自定义信任策略。下面是我要实现的 JSON。不确定 'custom' 是否正确,但它不是新的 iam.ServicePrincipal class.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXX:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "XXXXX"
}
}
}
]
}
我已经尝试在我的构建中执行以下操作,但它一直失败并出现以下错误。
const externalPolicyDocument = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXX:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "XXXX"
}
}
}
]
}
const jsonCustomDocument = iam.PolicyDocument.fromJson(externalPolicyDocument);
new iam.Role(this, `${kinesisData.iamRole}`, {
//assumedBy: new iam.ServicePrincipal(`kinesis.amazonaws.com`),
assumedBy: jsonCustomDocument,
description: `${kinesisData.iamDescription}`,
roleName: `${kinesisData.iamRoleName}`,
inlinePolicies: {
kinesisPolicy: kinesisIAMStatement,
kmsPolicy: kinesisKMS
}
})
下面是我得到的错误:
/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/node_modules/@aws-cdk/aws-iam/lib/policy-statement.js:141
util_1.mergePrincipal(this.principal, fragment.principalJson);
^
TypeError: Cannot read property 'principalJson' of undefined
at AwsStarStatement.addPrincipals (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/node_modules/@aws-cdk/aws-iam/lib/policy-statement.js:141:60)
at createAssumeRolePolicy (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/node_modules/@aws-cdk/aws-iam/lib/role.js:317:15)
at new Role (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/node_modules/@aws-cdk/aws-iam/lib/role.js:64:33)
at new kinesisSinkBuild (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/resources/kinesis_build.js:77:9)
at new MainStack (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/lib/aws-cdk-stack.js:18:26)
at Object.<anonymous> (/home/ubuntu/workspace/Twilio-CDK-EventSink/devops/aws-cdk/bin/aws-cdk.js:28:1)
at Module._compile (internal/modules/cjs/loader.js:1085:14)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
at Module.load (internal/modules/cjs/loader.js:950:32)
at Function.Module._load (internal/modules/cjs/loader.js:790:12)
Subprocess exited with error 1
定义 Account Principal 条件:
assumedBy: new iam.AccountPrincipal('123456789012').withConditions({
StringEquals: {
'sts:ExternalId': 'XXXX',
},
});