Jam*_*son 1 amazon-web-services aws-cloudformation amazon-cloudwatch
我正在尝试创建一个按计划触发并执行状态机 (Step Functions) 的 CloudWatch 规则。我正在使用 CloudFormation 来创建它,除了规则使用的 IAM 角色与规则本身的关联之外,一切都很好。这就是我的意思:
注意在“使用现有角色”下它是空白的。
这是处理规则及其作用的 CF 模板部分。
"SFInvoke":{
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::Sub": "states.${AWS::Region}.amazonaws.com"
}
},
"Action": "sts:AssumeRole"
}
]
},
"Policies": [
{
"PolicyName": "StepFunctionsInvoke",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:StartExecution"
],
"Resource": { "Ref" : "StateMachine"}
}
]
}
}
]
}
},
"CloudWatchStateMachineSDCEventRule": {
"Type":"AWS::Events::Rule",
"Properties": {
"Description":"CloudWatch trigger for the InSite Static Data Consumer",
"ScheduleExpression": "rate(5 minutes)",
"State":"ENABLED",
"Targets":[{
"Arn":{ "Ref" : "StateMachine"},
"Id":"StateMachineTargetId",
"RoleArn":{
"Fn::GetAtt": [
"SFInvoke",
"Arn"
]
}
}]
}
},
Run Code Online (Sandbox Code Playgroud)
您希望SFInvoke
角色出现在Use existing role selector
?
如果是这种情况,您需要将 Principal 设置为events
而不是states
。
您正在编辑上面屏幕截图中的事件目标,而不是步进函数。Principal 定义可以承担该角色的服务,在您的情况下是事件服务。
试试这个来创建角色:
"SFInvoke":{
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Policies": [
{
"PolicyName": "StepFunctionsInvoke",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:StartExecution"
],
"Resource": { "Ref" : "StateMachine"}
}
]
}
}
]
}
}
Run Code Online (Sandbox Code Playgroud)
归档时间: |
|
查看次数: |
1261 次 |
最近记录: |