java - 如何使用AWS Java SDK中的IAM角色创建云形成？

Question

我对 Amazon cloud formation 很陌生我当前的任务是在 Amazon Cloud Formation 上创建一个堆栈使用Java SDK具有 IAM 角色。在AWS CLI上，我可以通过添加附加参数--profile 来创建亚马逊云结构。我已经在配置文件中创建了一个带有 role-arn 的配置文件，如下面 link 中所述。 .

现在我想使用 Java SDK 实现相同的功能来自AWS。我在 Java 中的 Stack 请求 如下

CreateStackRequest r = new CreateStackRequest();
r.withStackName(getStackName());
r.withParameters(getParameters());
r.withTemplateURL(getTemplate());
r.withCapabilities(getCapabilities());
r.withRoleARN(getArnRole());

我的亚马逊云构建客户端初始化如下

amazonClient=AmazonCloudFormationClientBuilder.standard()
             .withCredentials(new ProfileCredentialsProvider())
             .withRegion(Regions.US_EAST_1)
             .build();

但是我无法创建亚马逊云层，因为它给了我以下错误

Exception in thread "main" com.amazonaws.services.cloudformation.model.AmazonCloudFormationException:
User: arn:aws:iam::xxxxxxx:user/xxxxxxx is not authorized to perform: iam:PassRole
on resource: arn:aws:iam::xxxxx:role/xxxxxxxx (Service: AmazonCloudFormation;
Status Code: 403; Error Code: AccessDenied; Request ID: xxxxxxxxxx)

有人可以告诉我我做错了什么吗？

编辑:

AWS CLI

我已在本地 Windows 系统上安装了 AWS SDK。要在 aws cli 上执行云形成命令，我正在执行以下操作

aws cloudformation create-stack  --stack-name xxxxx
--template-url xxxxxxxx 
--capabilities "CAPABILITY_IAM" --parameters xxxxxx --profile xxxxxxx

模板和参数以 json 格式存储在 s3 存储桶中。当我运行上面的命令行时，我得到以下输出

{
  "StackId": "xxxxxxx"
}

AWS Java SDK

我创建了一个 Java 代码，它将以下内容作为命令行参数

--stack-name xxxxxx--template-url xxxxx 
--capabilities "CAPABILITY_IAM" --parameters xxxxx 
--profile xxxxxx --access-key xxxxxxx --secret-key xxxxxxxx

我的AWS配置文件如下

 [default]
 output = json
 region = us-east-1
 [profile xxxxx]
 role_arn = arn:aws:iam::xxxxxxx:role/xxxxxxxx
 source_profile = default
 region = us-east-1

我的AWS凭证文件如下

 [default]
 aws_access_key_id = xxxxxx
 aws_secret_access_key = xxxxxx
 [profile xxxxxx]
 aws_access_key_id = xxxxxx
 aws_secret_access_key = xxxxxxx

在Amazon云形成客户端初始化中，我尝试了以下操作

 1. amazonClient=AmazonCloudFormationClientBuilder.standard()
             .withCredentials(new ProfileCredentialsProvider())
             .withRegion(Regions.US_EAST_1)
             .build();

 2. BasicAWSCredentials  credentials=new BasicAWSCredentials(accessKey,secretKey); 
   AmazonCloudFormationClientBuilder.standard().withCredentials(new 
   AWSStaticCredentialsProvider(credentials)).build();

在这两个初始化中，我都遇到了相同的错误。

Answer 1

您可以使用 AWS CloudFormation Java API V2 创建新的 Cloud Formation 堆栈。要运行此代码，您必须将模板放入 S3 存储桶中。此外，您还必须设置具有 CloudFormation、S3 和 EC2 权限的 IAM 角色。

以下代码成功创建了一个堆栈。

// snippet-start:[cf.java2.create_stack.import]
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.cloudformation.CloudFormationClient;
import software.amazon.awssdk.services.cloudformation.model.CloudFormationException;
import software.amazon.awssdk.services.cloudformation.model.CreateStackRequest;
import software.amazon.awssdk.services.cloudformation.model.OnFailure;
import software.amazon.awssdk.services.cloudformation.model.CreateStackResponse;
import software.amazon.awssdk.services.cloudformation.model.Parameter;
// snippet-end:[cf.java2.create_stack.import]

/**
 *  To run this example, you must have a valid template that is located in a S3 bucket.
 *  For example:
 *
 *  https://s3.amazonaws.com/mybucket/CloudFormationTemplate.yml
 *
 *  Also, the role that you use must have CloudFormation permissions as well as S3 and EC2 permissions. For more information,
 *  see "Getting started with AWS CloudFormation" in the AWS CloudFormation User Guide.
 *
 */

public class CreateStack {

   public static void main(String[] args) {


        String stackName = "mystack2";
        String roleARN = "arn:aws:iam::<enter ARN Role>";
        String location = "https://s3.amazonaws.com/<BUCKET NAME>/CloudFormationTemplate.yml";

        Region region = Region.US_EAST_1;
        CloudFormationClient cfClient = CloudFormationClient.builder()
                .region(region)
                .build();

        try {
            
            // Ensure you set the correct key name and value
            Parameter myParameter = Parameter.builder()
                    .parameterKey("KeyName")
                    .parameterValue("keypair1")
                    .build();

            CreateStackRequest stackRequest = CreateStackRequest.builder()
                .stackName(stackName)
                .templateURL(location)
                .roleARN(roleARN)
                .onFailure(OnFailure.ROLLBACK)
                .parameters(myParameter)
                .build();

            CreateStackResponse stackResponse = cfClient.createStack(stackRequest);
            System.out.println("The stack Id value is " +stackResponse.stackId());

        } catch (CloudFormationException e) {
            System.err.println(e.getMessage());
            System.exit(1);
        }

    }
}