我在云形式中创建IAM策略有问题。但是当我运行时,我会发现需要组,角色,用户的错误:
这是我的代码:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "AWS CloudFormation Template IAM Groups and Policies",
"Resources": {
"PolicyAutoScalingLimitedOperation": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "AutoScaling-Limited-Operation",
"PolicyDocument": {
"Statement": [{
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
},
{
"Effect": "Allow",
"Action": [
"kms:ListAliases",
"kms:ListKeys",
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": "*"
}
]
}
}
}
}
}
现在,当我运行时,我会得到:
At least one of [Groups,Roles,Users] must be non-empty.
这是否意味着我不能在不添加用户/角色的情况下创建策略?
如果您只想要独立的策略,则可能要创建AWS::IAM::ManagedPolicy。
http://docs.aws.amazon.com/awscloudformation/latest/userguide/aws-resource-iam-managedpolicy.html
来自文档:
aws :: iam :: ManagedPolicy创建AWS身份和访问管理 (IAM)您的AWS帐户的托管政策,您可以使用它来申请 授予IAM用户,组和角色的权限。
这是一个示例:
Resources:
CreateTestDBPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: "Policy for creating a test database"
Path: "/"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "rds:CreateDBInstance"
Resource: "*"
这将解决您的问题。