aws cloudformation -权限控制/例程
aws cloudformation -权限控制/例程
提问于 2020-10-27 20:55:15
这是我当前使用的角色,它是通过IAM控制台创建的。
然后,我尝试使用下面的教程中的cloudformation创建另一个具有相同权限的角色。
https://blog.petej.org/2020/01/04/infrastructure-as-code-with-aws-lambda-and-api-gateway/
但是,在创建角色之后,我发现所有策略都是内联策略。
和我现在的角色在权限上有什么区别吗?
我使用Role.json作为堆栈的模板。
Role.json
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"LambdaRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "hello-world-Admin",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["lambda.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
"Path": "/",
"Policies": [{
"PolicyName": "AWSLambdaBasicExecutionRole",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}]
}
},
{
"PolicyName": "AmazonS3GetObject",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::pj-lambda-functions/",
"arn:aws:s3:::pj-lambda-functions/*"
]
}]
}
},
{
"PolicyName": "AmazonS3FullAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}]
}
},
{
"PolicyName": "AmazonDynamoDBFullAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:*",
"dax:*",
"application-autoscaling:DeleteScalingPolicy",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:RegisterScalableTarget",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricAlarm",
"datapipeline:ActivatePipeline",
"datapipeline:CreatePipeline",
"datapipeline:DeletePipeline",
"datapipeline:DescribeObjects",
"datapipeline:DescribePipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:ListPipelines",
"datapipeline:PutPipelineDefinition",
"datapipeline:QueryObjects",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"iam:GetRole",
"iam:ListRoles",
"kms:DescribeKey",
"kms:ListAliases",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:SetTopicAttributes",
"lambda:CreateFunction",
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:CreateEventSourceMapping",
"lambda:DeleteEventSourceMapping",
"lambda:GetFunctionConfiguration",
"lambda:DeleteFunction",
"resource-groups:ListGroups",
"resource-groups:ListGroupResources",
"resource-groups:GetGroup",
"resource-groups:GetGroupQuery",
"resource-groups:DeleteGroup",
"resource-groups:CreateGroup",
"tag:GetResources"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "cloudwatch:GetInsightRuleReport",
"Effect": "Allow",
"Resource": "arn:aws:cloudwatch:*:*:insight-rule/DynamoDBContributorInsights*"
},
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:PassedToService": [
"application-autoscaling.amazonaws.com",
"dax.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"replication.dynamodb.amazonaws.com",
"dax.amazonaws.com",
"dynamodb.application-autoscaling.amazonaws.com",
"contributorinsights.dynamodb.amazonaws.com"
]
}
}
}
]
}
},
{
"PolicyName" : "CognitoUserPoolsManagement",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "cognito-idp:ListUsers",
"Resource": "*"
}
]
}
},
{
"PolicyName" : "DynamoDBWriteAccess",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:UpdateItem"
],
"Resource": "arn:aws:dynamodb:us-east-1:063575524122:table/test_users"
}
]
}
},
{
"PolicyName" : "hello-world-s3-policy",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::kwai-tsing-dev/*"
}
]
}
}
]
}
},
"ApiGatewayRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "kwai-tsing-api-for-lambda",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["apigateway.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
"Policies": [{
"PolicyName": "AWSApiGateWay",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "*"
}]
}
},
{
"PolicyName": "ApiGatewayFullAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": "*"
}]
}
}
]
}
},
"MyRestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Body": {
"OpenAPI specification": null
},
"Description": "A test API",
"Name": "MyRestAPI"
}
}
}
}另一方面,我想问以下问题,因为我是aws cloudformation的初学者。
1.通过CLI或直接在cloudformation控制台中创建堆栈,管理堆栈最流行的选择是什么?
2.如何确定模板的内容,例如,如果同时使用api网关、lambda和dynamodb,我应该创建3个独立的模板文件,还是单个文件包含所有模板文件?
回答 2
Stack Overflow用户
发布于 2020-10-27 21:04:00
如果您不想使用内联策略,那么您必须首先创建AWS::IAM::ManagedPolicy,然后在您的ManagedPolicyArns角色中引用它。
和我现在的角色在权限上有区别吗?
不不是的。托管策略的好处在于,您可以创建一个托管策略,并在多个角色、用户或组中引用它。然而,内联策略总是必须被复制,这使得管理更加困难。
cloudformation 1.管理堆栈最流行的选择是通过
还是直接在cloudformation控制台中创建堆栈?
这取决于您的用例。没有一个正确的答案可以适用于所有可能的情况。但是,如果您想完全使用IaC,那么应该避免控制台部署,并且应该将所有内容都作为代码放在源代码控制之下,包括部署过程/脚本。
如何确定模板的内容,例如,如果我同时使用api网关、lambda和dynamodb,我应该创建三个单独的模板文件,还是一个文件包含所有的模板文件?
同样,这要视情况而定。如果它们是同一应用程序的一部分,我会将它们保存在一个模板中。就像使用一个部署一样,您可以创建整个应用程序堆栈,当您拆卸它时也是如此。但如果它们彼此完全不相关,我会将它们分开,这会给你更多的空间和自由来修改它们。
Stack Overflow用户
发布于 2020-10-27 21:09:59
答案是肯定的,因为您创建的第一个角色使用亚马逊网络服务托管策略AdminstratorAccess,如果您有一个允许相同权限的内联策略,那么就没有区别。
- 最流行的是云表单/Terraform/CDK/Pulumi我喜欢使用Cloudformation
- If您可以尽可能地将资源分成嵌套的云表单堆栈,这是最佳实践,即https://github.com/aws-samples/ecs-refarch-cloudformation/blob/master/master.yaml
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/64554899
复制相关文章
相似问题
腾讯云开发者
