gpt4 book ai didi

amazon-web-services - Aws CDK 跳过 IAM 语句更改

转载 作者:行者123 更新时间:2023-12-03 07:16:36 26 4
gpt4 key购买 nike

这是我已经通过策略声明的角色:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:ChangeMessageVisibility",
"sqs:GetQueueUrl"
],
"Resource": "arn:aws:sqs:*:<my-account>:my-prefix-*"
}
]
}

当我手动部署队列和 Lambda(带有触发器)时,一切正常(并且按预期工作)。但是,当我使用 CDK 进行部署时,它会尝试添加一个新的内联策略,该策略看起来完全相同(没有通配符):

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:ChangeMessageVisibility",
"sqs:GetQueueUrl"
],
"Resource": "arn:aws:sqs:eu-west-3:<my-account>:my-prefix-MYRESOURCE-CREATED"
}
]
}

我的问题:

  • 为什么 CDK 没有检测到策略是相同的?
  • 如果按照设计工作,有没有办法不包含 IAM 更改?

我不是指How to skip IAM change confirmation during a cdk deploy?用户想要自动批准的地方。

感谢和问候

最佳答案

我假设您正在将 role 参数传递到 Lambda Function .

如果您不希望 CDK 自动向此角色添加内联策略,您可能需要使用 .without_policy_updates() :

Use the object returned by this method if you want this Role to be used by a construct without it automatically updating the Role’s Policies.

If you do, you are responsible for adding the correct statements to the Role’s policies yourself.

关于amazon-web-services - Aws CDK 跳过 IAM 语句更改,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/63904970/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com