我正在尝试根据当前的云形成堆栈区域动态更改s3资源名称。Cloudformation堆栈更新没有任何错误。我做错什么了吗?我希望将{AWS::Region}的策略解析为us-east-1。
Version: 2012-10-17
Statement:
- Sid: RestrictS3Access
Effect: Allow
Action:
- 's3:GetObject'
Resource:
- !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${cognito-identity.amazonaws.com:sub}"
- !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${cognito-identity.amazonaws.com:sub}/*"
我期望看到政策如下。我正在从aws控制台检查结果。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::dnsa-us-east-1/${cognito-identity.amazonaws.com:sub}",
"arn:aws:s3:::dnsa-us-east-1/${cognito-identity.amazonaws.com:sub}/*"
],
"Effect": "Allow",
"Sid": "RestrictS3Access"
}
如果希望${cognito-identity.amazonaws.com:sub}保持不变,则需要使用${!}对其进行转义。
Version: 2012-10-17
Statement:
- Sid: RestrictS3Access
Effect: Allow
Action:
- 's3:GetObject'
Resource:
- !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${!cognito-identity.amazonaws.com:sub}"
- !Sub "arn:aws:s3:::dnsa-${AWS::Region}test/${!cognito-identity.amazonaws.com:sub}/*"