我将IAM角色用于进行一些数据处理的粘合作业,为了完成此任务,我需要扮演执行粘合角色的角色。
例如,在下面的cloudformation模板中,IAM::Policy有权从Dynamo DB表中进行查询,并从s3 bucket中获取Objects。
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Resources:
GlueAccessPolicy:
Type: AWS::IAM::Policy
Properties:
Roles:
- !Ref GlueRole
PolicyName: glue_access_policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: 's3:getObject'
Resource:
- 's3_bucket_arn'
- Effect: Allow
Action:
- 'dynamodb:DescribeTable'
- 'dynamodb:Query'
Resource:
- 'dynamo_table_arn'
GlueRole:
Type: 'AWS::IAM::Role'
Properties:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: 'Allow'
Principal:
Service:
- 'glue.amazonaws.com'
Action:
- 'sts:AssumeRole'
现在,这个问题展示了一个从角色A扮演角色B的例子,切换角色。
因此,我有一个问题,如果,GlueRole假设GlueRole是否可能或有效
由于角色本身没有限制,并且文档声明了以下
授予用户承担角色权限的策略必须包括对以下内容具有允许效果的语句:
- sts:AsseumeRole操作
- Resource元素中角色的Amazon资源名称(ARN(
将此策略添加到CloudFormation模板上的AWS::IAM::Policy资源非常简单。
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Resources:
GlueAccessPolicy:
Type: AWS::IAM::Policy
Properties:
Roles:
- !Ref GlueRole
PolicyName: glue_access_policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: 'sts:AssumeRole'
Resource: !GetAtt GlueRole.Arn
GlueRole:
Type: 'AWS::IAM::Role'
Properties:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: 'Allow'
Principal:
Service:
- 'glue.amazonaws.com'
Action:
- 'sts:AssumeRole'