aws-cloudformation - 创建用户后是否有 CloudFormation 上传 SSH_PublicKey 的方法？

Question

我正在尝试创建一个仅使用 CloudFormation 具有 CodeCommit 和 S3 访问权限的 IAM 用户，而且我想添加 SSH_PublicKey，这是我到目前为止所拥有的:

Resources:
  ItS3User:
    DependsOn: ArtifactsBucket
    Type: AWS::IAM::User
    Properties:
      Policies:
      - PolicyName: ItS3Access
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Sid: AllowUserToSeeBucketListInTheConsole
            Action:
            - s3:ListAllMyBuckets
            - s3:GetBucketLocation
            Effect: Allow
            Resource:
            - arn:aws:s3:::*
          - Sid: AllowRootAndUploadsBucket
            Action:
            - s3:ListBucket
            Effect: Allow
            Resource:
            - Fn::Join:
              - ''
              - - 'arn:aws:s3:::'
                - Ref: ArtifactsBucket
            Condition:
              StringEquals:
                s3:prefix:
                - ''
                - it/
                s3:delimiter:
                - '/'
          - Sid: AllowListingOfUploadsFolder
            Action:
            - s3:ListBucket
            Effect: Allow
            Resource:
            - Fn::Join:
              - ''
              - - 'arn:aws:s3:::'
                - Ref: ArtifactsBucket
            Condition:
              StringLike:
                s3:prefix:
                - it/*
          - Sid: AllowAllS3ActionsInUploadsFolder
            Effect: Allow
            Action:
            - s3:PutObject
            - s3:GetObject
            - s3:GetObjectVersion
            Resource:
            - Fn::Join:
              - ''
              - - 'arn:aws:s3:::'
                - Ref: ArtifactsBucket
                - '/it'
                - '/*'

  ItUserAccessKey:
    DependsOn: ItS3User
    Type: AWS::IAM::AccessKey
    Properties:
      UserName:
        Ref: ItS3User


Outputs:
  ItUserAccessKeyID:
    Description: The Access Key for S3 bucket access
    Value:
      Ref: ItUserAccessKey
  ItUserAccessKeySecret:
    Description: The Access Key Secret for S3 bucket access
    Value:
      Fn::GetAtt:
        - ItUserAccessKey
        - SecretAccessKey

根据 https://docs.aws.amazon.com/IAM/latest/APIReference/API_UploadSSHPublicKey.html

Answer 1

您可以创建一个自定义资源来调用 UploadSSHPublicKey 。类似于下面的内容应该可以工作。

不要忘记将 SSHPublicKeyBody 的值更改为您需要的 key 。

Resources:
  UploadSshKeyRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: UploadSSHKey
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Action: iam:UploadSSHPublicKey
                Effect: Allow
                Resource: !Sub ${ItS3User.Arn}
  UploadKeyFunction:
    Type: AWS::Lambda::Function
    Properties:
      Runtime: python3.6
      Handler: index.handler
      Role: !Sub ${UploadSshKeyRole.Arn}
      Timeout: 60
      Code:
        ZipFile: |
          import boto3
          import cfnresponse
          import traceback

          def handler(event, context):
            try:
              response = boto3.client('iam').upload_ssh_public_key(
                  UserName=event['ResourceProperties']['Username'],
                  SSHPublicKeyBody=event['ResourceProperties']['SSHPublicKeyBody'],
              )

              cfnresponse.send(event, context, cfnresponse.SUCCESS, {}, "ok")
            except:
              traceback.print_last()
              cfnresponse.send(event, context, cfnresponse.FAIL, {}, "ok")
  UploadSshKey:
    Type: Custom::UploadSshKey
    Properties:
      ServiceToken: !Sub ${UploadKeyFunction.Arn}
      UserName: !Ref ItS3User
      SSHPublicKeyBody: "XXX INSERT PUBLIC KEY HERE XXX"