嗨,我正在研究AWS CDK。我正在尝试制定政策。下面是我的代码。
MWSECSServiceRole = iam.Role(self, 'MWSECSServiceRole',
assumed_by=iam.ServicePrincipal('ecs.amazonaws.com'))
MWSECSServiceRole.add_to_policy(iam.PolicyStatement(
effect=iam.Effect.ALLOW,
resources=["arn:aws:elasticloadbalancing:*:{AccountId}:loadbalancer/app/mws-*","arn:aws:elasticloadbalancing:*:{AccountId}:listener-rule/app/mws-*","arn:aws:elasticloadbalancing:*:{AccountId}:listener/app/mws-*","arn:aws:elasticloadbalancing:*:{AccountId}:targetgroup/mws-*"],
actions=["elasticloadbalancing:DeregisterInstancesFromLoadBalancer","elasticloadbalancing:DeregisterTargets","elasticloadbalancing:RegisterInstancesWithLoadBalancer","elasticloadbalancing:RegisterTargets"]
))
MWSECSServiceRole.add_to_policy(iam.PolicyStatement(
effect=iam.Effect.ALLOW,
resources=["*"],
actions=["ec2:AuthorizeSecurityGroupIngress","ec2:Describe*","elasticloadbalancing:Describe*"]
))
它将在云层下方生成模板。
MWSECSServiceRoleDefaultPolicyD5E258B0:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- elasticloadbalancing:DeregisterInstancesFromLoadBalancer
- elasticloadbalancing:DeregisterTargets
- elasticloadbalancing:RegisterInstancesWithLoadBalancer
- elasticloadbalancing:RegisterTargets
Effect: Allow
Resource:
- arn:aws:elasticloadbalancing:*:{AccountId}:loadbalancer/app/mws-*
- arn:aws:elasticloadbalancing:*:{AccountId}:listener-rule/app/mws-*
- arn:aws:elasticloadbalancing:*:{AccountId}:listener/app/mws-*
- arn:aws:elasticloadbalancing:*:{AccountId}:targetgroup/mws-*
- Action:
- ec2:AuthorizeSecurityGroupIngress
- ec2:Describe*
- elasticloadbalancing:Describe*
Effect: Allow
Resource: "*"
Version: "2012-10-17"
PolicyName: MWSECSServiceRoleDefaultPolicyD5E258B0
Roles:
- Ref: MWSECSServiceRole966AC1F9
Metadata:
aws:cdk:path: LocationCdkStack-cdkstack/MWSECSServiceRole/DefaultPolicy/Resource
当我尝试部署时,抛出以下错误。
The policy failed legacy parsing (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: e54462f7-f0bc-4a8c-9ec4-9530125113ec)
有人可以帮我找出这个问题吗?任何帮助,将不胜感激。谢谢
我建议您使用Stack.format_arn
以下命令构建ARN :
my_resource = core.Stack.of(self).format_arn(
service="elasticloadbalancing",
resource="loadbalancer",
resource_name="app/mws-*"
)
另请参阅ARN操作。
另外,您可以连接字符串并使用core.Stack.of(self).account
:
my_resource = "arn:aws:elasticloadbalancing:*:" + core.Stack.of(self).account + ":loadbalancer/app/mws-*"
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句