我正试图使用Python Boto3 SDK附加创建IAM角色,但我一直收到以下错误:
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: This policy contains invalid JSON
这是我创建角色的方法:
iam = boto3.client('iam')
try:
with open('IAMPolicy.json') as json_file:
template = json.load(json_file)
template = str(template)
role = iam.create_role(
RoleName = iam_role_name,
AssumeRolePolicyDocument = template,
Description = iam_role_description
)
print(role)
print('IAM role' + iam_role_name + ' successfully created.')
except ClientError as e:
print(e)
sys.exit('Exiting the system because IAM role creation failed.')
这是我试图塑造的榜样角色。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:CreateBucket",
"s3:GetBucketPolicy"
],
"Resource": [
"arn:aws:s3:::*/*",
"arn:aws:s3:::mybucket1729788"
]
}
]
}
根据控制台中的IAM管理策略验证器,该策略是有效的,所以我不确定哪里出了问题。有人能帮忙吗?
您的JSON看起来无效。我使用了这个JSON,它运行得很好:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::81454804xxxx:user/PowerUserxxxx"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
此处的更多信息:如何将信任策略与IAM角色一起使用。
我刚刚通过Java代码测试了这个受信任的策略,它运行得很好。
import org.json.simple.JSONObject;
import org.json.simple.parser.JSONParser;
import software.amazon.awssdk.services.iam.model.*;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import java.io.FileReader;
public class CreateRole {
public static void main(String[] args) {
final String USAGE = "n" +
"Usage:n" +
" CreateRole <rolename> <fileLocation> nn" +
"Where:n" +
" rolename - the name of the role to create. nn" +
" fileLocation - the location of the JSON document that represents the trust policy. nn" ;
if (args.length != 2) {
System.out.println(USAGE);
System.exit(1);
}
String rolename = args[0];
String fileLocation = args[1];
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
String result = createIAMRole(iam, rolename, fileLocation) ;
iam.close();
}
public static String createIAMRole(IamClient iam, String rolename, String fileLocation ) {
try {
JSONObject jsonObject = (JSONObject) readJson(fileLocation);
CreateRoleRequest request = CreateRoleRequest.builder()
.roleName(rolename)
.assumeRolePolicyDocument(jsonObject.toJSONString())
.description("Created using the AWS SDK for Java")
.build();
CreateRoleResponse response = iam.createRole(request);
System.out.println("The ARN of the role is "+response.role().arn());
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
} catch (Exception e) {
e.printStackTrace();
}
return "";
}
public static Object readJson(String filename) throws Exception {
FileReader reader = new FileReader(filename);
JSONParser jsonParser = new JSONParser();
return jsonParser.parse(reader);
}
}
问题是,当您应该在创建角色时为IAM角色提供Trust Policy时,您正在提供IAM Policy,create_role如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
信任策略
一个JSON策略文档,您可以在其中定义您信任的承担该角色的主体。角色信任策略是附加到IAM中的角色的必需的基于资源的策略。可以在信任策略中指定的主体包括用户、角色、帐户和服务
以下是示例
assume_role_policy_document = json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
})
create_role_response = iam.create_role(
RoleName = "myrolenamee,
AssumeRolePolicyDocument = assume_role_policy_document
)
创建角色后,使用attach_role_policy 附加自定义策略
response = iam.attach_role_policy(
RoleName='myrolename',
PolicyArn='arn:aws:iam::123456789012:policy/mycustompolicy'
)
角色术语和概念
如何将信任策略与IAM角色一起使用
创建一个角色以将权限委派给AWS服务