gpt4 book ai didi

amazon-web-services - AWS 删除 CloudFormation 堆栈的权限

转载 作者:行者123 更新时间:2023-12-03 07:18:45 26 4
gpt4 key购买 nike

我有一个 CloudFormation 堆栈,其中包括 EC2 实例、IAM 角色和自动扩展组。这是一个 transient 堆栈,用于在目标 ALB 中执行负载测试。测试完成后(时间有限),将发送结果并且应删除该堆栈。

现在,我使用我的凭据从计算机创建堆栈,尽管我的最终目的是在 CodePipeline 步骤中实现此自动化。

我试图使用 CLI 让堆栈调用他自己的删除:

aws cloudformation delete-stack --stack-name ${AWS::StackName} --region ${AWS::Region}

运行此命令的 EC2 实例(此堆栈的一部分)具有此角色:

 WorkerNodeRole:
Type: AWS::IAM::Role
Properties:
RoleName: LoadTestNodeRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
- cloudformation.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: LoadTestNodeRolePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Resource: '*'
Action: iam:PassRole
- Effect: Allow
Resource: !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*
Action:
- cloudformation:DeleteStack

我希望这足以删除堆栈,但它提示删除堆栈各个元素的权限。例如:

API: autoscaling:DescribeAutoScalingGroup User: arn:aws:sts::(account):assumed-role/LoadtestNodeRole/(instance) is not authorized to perform: autoscaling:DescribeAutoScalingGroups 

如何授予角色在特定堆栈上执行 cloudformation:DeleteStack 的权限以删除其中包含的所有内容?

例如,由于上述原因,该堆栈无法删除自身:

Description: Autodelete test

Resources:

WorkerNodeRole:
Type: AWS::IAM::Role
Properties:
RoleName: NodeRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
- cloudformation.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: NodeRolePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Resource: '*'
Action: iam:PassRole
- Effect: Allow
Resource: !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*
Action:
- cloudformation:DeleteStack

WorkerNodeInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- !Ref WorkerNodeRole

MasterNode:
Type: AWS::EC2::Instance
Properties:
IamInstanceProfile: !Ref WorkerNodeInstanceProfile
ImageId: ami-0be2609ba883822ec
InstanceType: t2.small
UserData:
Fn::Base64:
!Sub
|
#!/bin/bash
aws cloudformation delete-stack --stack-name ${AWS::StackName} --region ${AWS::Region}

最佳答案

总之:要使您的调用删除堆栈调用正常工作,您需要修改堆栈中所有资源(ASG、EC2、IAM + Cloudformation)的策略,在您的情况下是您的 ec2 实例角色。

错误解释:

要删除堆栈,您需要以下权限:

    {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "cloudformation:DeleteStack",
"Resource": "arn:aws:cloudformation:eu-central-1:1234567890:stack/case-test3-stack/53a723c0-f413-11ea-8958"
}
]
}

I have a CloudFormation stack that includes EC2 instances, IAM roles, and an autoscaling group.

因此,所有内容都在一个堆栈中,当您尝试删除堆栈时,Cloudformation 会按顺序从上到下进行操作,除非在堆栈中要删除的所有内容的定义中添加了一些依赖子句。

您无法使用 delete-stack 有选择地删除资源

加上调用删除的实例只有cloudformation堆栈的删除权限,但您的cloudformation堆栈还有ASG和其他资源。因此失败。

就像我创建了这个堆栈

    $ cat minimal-cfn.yml
Resources:
Bucket:
Type: 'AWS::S3::Bucket'
BucketName:
Type: AWS::SSM::Parameter
Properties:
Description: !Sub 'S3 Bucket from stack ${AWS::StackName}'
Name: '/s3bucket/main/bucket-name'
Type: String
Value: !Ref Bucket

正如我上面在策略中提到的,我的角色只有删除堆栈的权限,现在我尝试删除堆栈并收到错误

    $ aws cloudformation delete-stack --stack-name adsadasdasdas

User: arn:aws:sts::1234567890:assumed-role/testrole1/s3-access-example is
not authorized to perform: ssm:DeleteParameter on resource: arn:aws:ssm:eu-central-1:1234567890:parameter/s3bucket/main/bucket-name
(Service: AmazonSSM; Status Code: 400; Error Code: AccessDeniedException; Request ID: 785ba9ad-e1b4-4d4b-aef4-5bea51481a87; Proxy: null)

因为该角色没有删除堆栈内资源的权限。

关于amazon-web-services - AWS 删除 CloudFormation 堆栈的权限,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/65776829/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com