个人中心
gpt4 book ai didi

amazon-web-services - AWS Cloudformation 资源之间的循环依赖

转载 作者:行者123 更新时间:2023-12-03 07:23:49 27 4
gpt4 key购买 nike

我正在尝试创建 sagemaker 角色,作为信任主体,我需要服务 sagemaker 以及该角色。问题是我收到以下错误:

An error occurred (ValidationError) when calling the CreateChangeSet operation: Circular dependency between resources: [SagemakerRole]

SagemakerRole:
Type: 'AWS::IAM::Role'
Properties:
  RoleName: sagemaker-role
  AssumeRolePolicyDocument:
    Version: 2012-10-17
    Statement:
      - Effect: Allow
        Principal:
          Service:
            - sagemaker.amazonaws.com
        Action: 'sts:AssumeRole'
      - Effect: Allow
        Principal:
          AWS:
            - !Ref SagemakerRole
        Action: 'sts:AssumeRole'
  Path: /
  ManagedPolicyArns:
    - arn:aws:iam::aws:policy/AmazonS3FullAccess            
    - arn:aws:iam::aws:policy/AmazonSageMakerFullAccess

我需要以某种方式传递以下主体“arn:aws:iam::${AWS::AccountId}:role/sagemaker-role”

最佳答案

我认为唯一的方法是通过 custom resource两个阶段:

  1. 使用“正常”推力政策创建您的角色
  2. 使用自定义资源更新角色

下面是关于如何执行此操作的完全有效示例代码:


Resources:

  SagemakerRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: sagemaker-role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - sagemaker.amazonaws.com
            Action: 'sts:AssumeRole'
      Path: /
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonS3FullAccess            
        - arn:aws:iam::aws:policy/AmazonSageMakerFullAccess


  LambdaBasicExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
        - Effect: Allow
          Principal:
            Service: lambda.amazonaws.com
          Action: sts:AssumeRole
      Path: /
      Policies:
       - PolicyName: UpdateAssumePolicy
         PolicyDocument:
           Version: 2012-10-17
           Statement:          
             - Effect: Allow
               Action: 
                  - iam:UpdateAssumeRolePolicy
                  - iam:GetRole
               Resource: !GetAtt SagemakerRole.Arn        
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

  MyCustomResource:
    Type: Custom::RoleAssumesItself
    Properties:
      ServiceToken: !GetAtt MyCustomFunction.Arn
      RoleName: !Ref SagemakerRole

  MyCustomFunction:
    Type: AWS::Lambda::Function
    Properties:
      Handler: index.lambda_handler
      Timeout: 10
      Role: !GetAtt 'LambdaBasicExecutionRole.Arn'
      Runtime: python3.7
      Code:
        ZipFile: |
          import json
          import cfnresponse
          import boto3

          iam = boto3.resource('iam')

          def lambda_handler(event, context):

            print(json.dumps(event, default=str))
            
            try:

              responseData = {}

              if event['RequestType'] in ["Create"]:                      
                
                role_name = event['ResourceProperties']['RoleName']                

                role = iam.Role(role_name)
                
                current_permissions = role.assume_role_policy_document
                
                print(current_permissions)
                
                current_permissions['Statement'].append(
                      {'Effect': 'Allow', 
                        'Principal': 
                          {'AWS': role.arn}, 
                        'Action': 'sts:AssumeRole'
                      })
                      
                #print(current_permissions)
                
                response = role.AssumeRolePolicy().update(
                      PolicyDocument=json.dumps(current_permissions))
                
                print(response)

                cfnresponse.send(event, context, 
                                 cfnresponse.SUCCESS, responseData)

              else:
                print('Unexpected RequestType!') 
                cfnresponse.send(event, context, 
                                  cfnresponse.SUCCESS, responseData)

            except Exception as err:

              print(str(err))
              responseData = {"Data": str(err)}
              cfnresponse.send(event,context, 
                               cfnresponse.FAILED,responseData)
            return

关于amazon-web-services - AWS Cloudformation 资源之间的循环依赖,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/65666033/

27 4 0
文章推荐: eclipse - 让 Eclipse 忘记 "remember my decision"以打开调试视角
文章推荐: yaml - AWS CloudFormation 属性验证失败 : [Encountered unsupported properties in {/ContainerProperties/Environment
文章推荐: amazon-web-services - AWS CDK : Adding new stack not working (not showing up)
文章推荐: amazon-web-services - 为什么我在 AWS Cloudformation 上收到 "YAMLException: bad indentation of a mapping entry"?
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com