如何将两个相同的IAM policy合并为一个,如果它们针对两个不同的资源。其中一个资源有Join和Ref.下面的两个策略可以合并为一个CloudFormation模板吗?
- Effect: Allow
Action:
- "s3:DeleteObject"
- "s3:DeleteObjectTagging"
- "s3:GetObjectAcl"
- "s3:GetObjectTagging"
- "s3:PutObject"
- "s3:PutObjectAcl"
- "s3:PutObjectTagging"
Resource:
!Join
- ''
- - 'arn:aws:s3:::'
- !Ref TestBucketName
- '/*'
- Effect: Allow
Action:
- "s3:DeleteObject"
- "s3:DeleteObjectTagging"
- "s3:GetObjectAcl"
- "s3:GetObjectTagging"
- "s3:PutObject"
- "s3:PutObjectAcl"
- "s3:PutObjectTagging"
Resource: "arn:aws:s3:::SecondTestBucket/Download/*"
您也可以使用!Sub或Fn::Sub来代替下面的Join,以获得清晰的代码。
- Effect: Allow
Action:
- "s3:DeleteObject"
- "s3:DeleteObjectAcl"
- "s3:DeleteObjectTagging"
- "s3:GetObjectAcl"
- "s3:GetObjectTagging"
- "s3:PutObject"
- "s3:PutObjectAcl"
- "s3:PutObjectTagging"
Resource:
- !Sub arn:aws:s3:::${TestBucketName}/*
- "arn:aws:s3:::SecondTestBucket/Download/*"
- Effect: Allow
Action:
- "s3:DeleteObject"
- "s3:DeleteObjectAcl"
- "s3:DeleteObjectTagging"
- "s3:GetObjectAcl"
- "s3:GetObjectTagging"
- "s3:PutObject"
- "s3:PutObjectAcl"
- "s3:PutObjectTagging"
Resource:
- !Join
- ''
- - 'arn:aws:s3:::'
- !Ref TestBucketName
- '/*'
- "arn:aws:s3:::SecondTestBucket/Download/*"
您可以使用!Join或!GetAtt来引用您创建的资源。
注意:!GetAtt只能在您创建的资源可以返回Arn
ExampleS3AccessPolicy:
Type: 'AWS::IAM::ManagedPolicy'
Properties:
Description: example-s3-access-Policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 's3:DeleteObject'
- 's3:GetObject'
- 's3:ListBucket'
- 's3:PutObject'
- 's3:ListMultipartUploadParts'
- 's3:AbortMultipartUpload'
Resource:
- !Join ['',['arn:aws:s3:::', !Ref ExamplePublishedS3, '/*']]
- !Join ['',['arn:aws:s3:::', !Ref ExamplePrivateS3, '/*']]
- !GetAtt ExamplePublishedS3.Arn
- !GetAtt ExamplePublishedS3.Arn
我希望它有帮助