我正在尝试将IAM角色添加到现有模板中,该模板允许从外部源(雪花(对存储桶进行特定访问
RoleNameForAccess:
Type: AWS::IAM::Role
Properties:
RoleName: RoleNameForAccess
Description: A role that allows snowflake to access the bucket
Policies:
- PolicyName: 'SnowflakePolicyRole'
- PolicyDocument:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject
- s3:GetObject
- s3:GetObjectVersion
- s3:DeleteObject
- s3:DeleteObjectVersion
Resource: arn:aws:s3:::bucket-name/*
- Effect: Allow
Action: s3:ListBucket
Resource: arn:aws:s3:::bucket-name
Condition:
StringLike:
s3:prefix:
- "*"
但它不断抛出错误:
Property PolicyDocument cannot be empty.
如果我在政策文件中使用破折号,我会得到以下错误:
Value of property PolicyDocument must be an object
也许我遗漏了一些语法,但找不到它是什么。
感谢
PolicyName和AssumeRolePolicyDocument丢失。根据此处的用户指南更新。根据您的要求,您可以在以下更新的AssumeRolePolicyDocument部分更改Principal。
RoleNameForAccess:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS:
- arn:aws:iam::111111111111:user/testuser
Action:
- 'sts:AssumeRole'
RoleName: RoleNameForAccess
Description: A role that allows snowflake to access the bucket
Policies:
- PolicyName: SnowflakePolicyRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject
- s3:GetObject
- s3:GetObjectVersion
- s3:DeleteObject
- s3:DeleteObjectVersion
Resource: arn:aws:s3:::bucket-name/*
- Effect: Allow
Action: s3:ListBucket
Resource: arn:aws:s3:::bucket-name
Condition:
StringLike:
s3:prefix:
- "*"
您有一个非常小的错误。您可以有多个策略,因此Policies是一个数组。
RoleNameForAccess:
Type: AWS::IAM::Role
Properties:
RoleName: RoleNameForAccess
Description: A role that allows snowflake to access the bucket
Policies:
- PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject
- s3:GetObject
- s3:GetObjectVersion
- s3:DeleteObject
- s3:DeleteObjectVersion
Resource: arn:aws:s3:::bucket-name/*
- Effect: Allow
Action: s3:ListBucket
Resource: arn:aws:s3:::bucket-name
Condition:
StringLike:
s3:prefix:
- "*"