vkr*_*vkr 2 aws-cloudformation aws-lambda amazon-kms aws-serverless
我有一个CF模板,如下所示
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: gtm platform Lampda application deployment for ELasticCloud
Parameters:
SystemUserAccount:
Description: The syatem user account used to assume deployment role
Type: String
Default: usr-test1
DeploymentRoleName:
Description: The deployment role used to deploy cloudformation template
Type: String
Default: gtm-platform-deployment-role
GTMPlatformLambdaRoleName:
Description: The execution role for gtm platform
Type: String
Default: gtm-platform-lambda-role
GTMPlatformKMSKeyAliasName:
Description: The lambda function name for gtm platform
Type: String
Default: gtm-platform-kms-key
Resources:
GTMPlatformLambdaRole:
Type: AWS::IAM::Role
DependsOn:
- GTMPlatformKMSKey
Properties:
RoleName: !Ref GTMPlatformLambdaRoleName
AssumeRolePolicyDocument:
Version: '2008-10-17'
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/CloudWatchFullAccess
- arn:aws:iam::aws:policy/AmazonVPCFullAccess
Policies:
- PolicyName: GTMPlatformLambdaPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: cloudwatch:*
Resource: "*"
- Effect: Allow
Action:
- kms:EnableKeyRotation
- kms:EnableKey
- kms:ImportKeyMaterial
- kms:Decrypt
- kms:UntagResource
- kms:UpdateKeyDescription
- kms:GetKeyPolicy
- kms:GenerateDataKeyWithoutPlaintext
- kms:CancelKeyDeletion
- kms:ListResourceTags
- kms:DeleteImportedKeyMaterial
- kms:DisableKey
- kms:DisableKeyRotation
- kms:ListGrants
- kms:UpdateAlias
- kms:GetParametersForImport
- kms:TagResource
- kms:Encrypt
- kms:GetKeyRotationStatus
- kms:ScheduleKeyDeletion
- kms:CreateAlias
- kms:DescribeKey
- kms:DeleteAlias
Resource: !GetAtt GTMPlatformKMSKey.Arn
- Effect: Allow
Action:
- kms:GenerateRandom
- kms:GenerateDataKey
- kms:ReEncryptTo
- kms:ReEncryptFrom
Resource: "*"
GTMPlatformKMSKey:
Type: AWS::KMS::Key
Properties:
Description: Key used to encrypt decrypt EBS volumes at rest
Enabled: true
KeyPolicy:
Version: '2012-10-17'
Statement:
- Sid: Enable permissions for admin
Effect: Allow
Principal:
AWS: !Join
- ''
- - 'arn:aws:iam::'
- !Ref 'AWS::AccountId'
- ':root'
Action:
- 'kms:*'
Resource: '*'
- Sid: Allow access for Key Administrators
Effect: Allow
Principal:
AWS:
- !Sub
- 'arn:aws:iam::${accountId}:role/${gtmDeploymentRoleName}'
- accountId: !Ref 'AWS::AccountId'
gtmDeploymentRoleName: !Ref 'DeploymentRoleName'
Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kms:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:TagResource
- kms:UntagResource
Resource: "*"
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS:
- !Sub
- 'arn:aws:iam::${accountId}:role/${gtmPlatformLambdaRoleName}'
- accountId: !Ref 'AWS::AccountId'
gtmPlatformLambdaRoleName: !Ref 'GTMPlatformLambdaRoleName'
Action:
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
- kms:DescribeKey
Resource: "*"
- Sid: Allow attachment of persistent resources
Effect: Allow
Principal:
AWS:
- !Sub
- 'arn:aws:iam::${accountId}:role/${gtmPlatformLambdaRoleName}'
- accountId: !Ref 'AWS::AccountId'
gtmPlatformLambdaRoleName: !Ref 'GTMPlatformLambdaRoleName'
Action:
- kms:CreateGrant
- kms:ListGrants
- kms:RevokeGrant
Resource: "*"
Condition:
Bool:
kms:GrantIsForAWSResource: 'true'
GTMPlatformKMSKeyAlias:
Type: AWS::KMS::Alias
DependsOn:
- GTMPlatformKMSKey
Properties:
AliasName: !Join ['/', ['alias', !Ref GTMPlatformKMSKeyAliasName]]
TargetKeyId: !GetAtt GTMPlatformKMSKey.Arn
GTMPlatformKMSKey创建资源时出现错误。它失败CREATE_FAILED并显示错误消息
Policy contains a statement with one or more invalid principals. (Service: AWSKMS; Status Code: 400; Error Code: MalformedPolicyDocumentException; Request ID: 5673456f-b458-45c6-854b-9ed63c737772)
如果我删除 SidAllow use of the key并Allow attachment of persistent resources从 GTMPlatformKMSKey模板中运行正常。不知道我在这里缺少什么。任何帮助深表感谢
PS - 资源SystemUserAccount和DeploymentRoleName环境中已存在的资源
编辑 - 根据建议减少模板以仅包含失败的资源
就我而言,我试图部署一个CdkPipeline具有多个帐户阶段的堆栈。我需要cdk bootstrap ${account}/${region}在部署堆栈的每个帐户和区域上运行。
cdk bootstrap 123456789012/us-west-2
cdk bootstrap 123456789012/us-east-1
cdk bootstrap 987654321098/us-east-1
我还必须按照此链接授予第二个帐户权限。
codepipeline{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codepipeline.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:root",
"arn:aws:iam::987654321098:root"
]
},
"Action": "sts:AssumeRole"
}
]
}
| 归档时间: |
|
| 查看次数: |
21168 次 |
| 最近记录: |