我想创建一个具有只读策略(arn:aws:IAM::aws:policy/ReadOnlyAccess(的IAM角色。
为了防止访问所有bucket上的所有对象,我在Cloudformation模板中添加了一个Deny部分:
ReadOnlyAccessRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: read-only-role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Ref AwsAccount
Action: sts:AssumeRole
- Effect: Deny
Sid: DenyS3GetObject
Action: s3:GetObject
Resource: "arn:aws:s3:::/*"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/ReadOnlyAccess"
我得到了一个";不正确的PolicyDocument";"拒绝"部分中的错误(资源(。
我已经测试了这些选项:
资源:">
资源:";arn:aws:s3:::/*";
资源:";arn:aws:s3:::前缀bucket*">
你知道这个语法错误吗?
编辑:
来自Cloudformation:的错误
blockquote已禁止字段Resource(服务:AmazonIdentityManagement;状态代码:400;错误代码:MalformedPolicyDocument;请求ID:……;代理:null(
您似乎缺少Policies部分。
试试这样的东西:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
MyTestRole:
Type: AWS::IAM::Role
Properties:
RoleName: read-only-role
AssumeRolePolicyDocument:
Version: "2012-10-17"
- Effect: Allow
Principal:
AWS: !Ref AwsAccount
Action: sts:AssumeRole
Policies:
- PolicyName: EmbeddedInlinePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Deny
Action: s3:GetObject
Resource: '*'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/ReadOnlyAccess