amazon-web-services - 如何从 CloudFormation 模板中的相同 AWS 角色承担 AWS 角色？-6ren

amazon-web-services - 如何从 CloudFormation 模板中的相同 AWS 角色承担 AWS 角色？

转载作者：行者123 更新时间：2023-12-03 07:42:01

我正在使用 IAM 角色进行粘合作业，进行一些数据处理，为了完成此任务，我需要承担执行粘合角色的角色。

例如，在以下 cloudformation 模板中，IAM::Policy 有权从 Dynamo DB 表进行查询并从 s3 存储桶获取对象。

AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'

Resources: 

  GlueAccessPolicy:
    Type: AWS::IAM::Policy
    Properties:
      Roles:
        - !Ref GlueRole
      PolicyName: glue_access_policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action: 's3:getObject'
            Resource:
              - 's3_bucket_arn'
          - Effect: Allow 
            Action: 
              - 'dynamodb:DescribeTable'
              - 'dynamodb:Query'
            Resource:
              - 'dynamo_table_arn'

  GlueRole: 
    Type: 'AWS::IAM::Role'
    Properties: 
      ManagedPolicyArns: 
        - arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole
      AssumeRolePolicyDocument: 
        Version: 2012-10-17
        Statement: 
          - Effect: 'Allow'
            Principal: 
              Service:
                - 'glue.amazonaws.com'
            Action:
              - 'sts:AssumeRole'

现在，这个 question说明了从角色 A 承担角色 B 并切换角色的示例。

所以，我有一个问题:GlueRole 是否可能或有效地承担 GlueRole ？

最佳答案

由于角色扮演本身没有限制，并且 docs陈述以下内容

A policy that grants a user permission to assume a role must include a statement with the Allow effect on the following:

The sts:AssumeRole action

The Amazon Resource Name (ARN) of the role in a Resource element

将此策略添加到 CloudFormation 模板上的 AWS::IAM::Policy 资源非常简单。

AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'

Resources: 

  GlueAccessPolicy:
    Type: AWS::IAM::Policy
    Properties:
      Roles:
        - !Ref GlueRole
      PolicyName: glue_access_policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action: 'sts:AssumeRole'
            Resource: !GetAtt GlueRole.Arn

  GlueRole: 
    Type: 'AWS::IAM::Role'
    Properties: 
      ManagedPolicyArns: 
        - arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole
      AssumeRolePolicyDocument: 
        Version: 2012-10-17
        Statement: 
          - Effect: 'Allow'
            Principal: 
              Service:
                - 'glue.amazonaws.com'
            Action:
              - 'sts:AssumeRole'