AWS Identity and Access Management 模板代码段 - AWS CloudFormation

AWS Identity and Access Management 模板代码段

本部分包含 AWS Identity and Access Management 模板代码段。

重要

使用包含 IAM 资源的模板创建或更新堆栈时,您必须确认 IAM 功能的使用。有关在模板中使用 IAM 资源的更多信息,请参阅 使用 AWS Identity and Access Management 控制 CloudFormation 访问权限

声明 IAM 用户资源

此代码段显示如何声明 AWS::IAM::User 资源以创建 IAM 用户。此用户使用路径 "/" 和密码为 myP@ssW0rd 的登录配置文件进行声明。

名为 giveaccesstoqueueonly 的策略文档为用户授予权限以对 Amazon SQS 队列资源 myqueue 执行所有 Amazon SQS 操作,并拒绝对所有其他 Amazon SQS 队列资源进行访问。Fn::GetAtt 函数将获取 AWS::SQS::Queue 资源 myqueue 的 Arn 属性。

可以在用户中添加名为 giveaccesstotopiconly 的策略文档,以便为用户授予权限以对 Amazon SNS 主题资源 mytopic 执行所有 Amazon SNS 操作,并拒绝对所有其他 Amazon SNS 资源进行访问。Ref 函数将获取 AWS::SNS::Topic 资源 mytopic 的 ARN。

JSON

"myuser" : { "Type" : "AWS::IAM::User", "Properties" : { "Path" : "/", "LoginProfile" : { "Password" : "myP@ssW0rd" }, "Policies" : [ { "PolicyName" : "giveaccesstoqueueonly", "PolicyDocument" : { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "sqs:*" ], "Resource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ] }, { "Effect" : "Deny", "Action" : [ "sqs:*" ], "NotResource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ] } ] } }, { "PolicyName" : "giveaccesstotopiconly", "PolicyDocument" : { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "sns:*" ], "Resource" : [ { "Ref" : "mytopic" } ] }, { "Effect" : "Deny", "Action" : [ "sns:*" ], "NotResource" : [ { "Ref" : "mytopic" } ] } ] } } ] } }

YAML

myuser: Type: AWS::IAM::User Properties: Path: "/" LoginProfile: Password: myP@ssW0rd Policies: - PolicyName: giveaccesstoqueueonly PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sqs:* Resource: - !GetAtt myqueue.Arn - Effect: Deny Action: - sqs:* NotResource: - !GetAtt myqueue.Arn - PolicyName: giveaccesstotopiconly PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sns:* Resource: - !Ref mytopic - Effect: Deny Action: - sns:* NotResource: - !Ref mytopic

声明 IAM 访问密钥资源

此代码段显示的是 AWS::IAM::AccessKey 资源。myaccesskey 资源创建访问密钥并将其分配给在模板中声明为 AWS::IAM::User 资源的 IAM 用户。

JSON

"myaccesskey" : { "Type" : "AWS::IAM::AccessKey", "Properties" : { "UserName" : { "Ref" : "myuser" } } }

YAML

myaccesskey: Type: AWS::IAM::AccessKey Properties: UserName: !Ref myuser

您可使用 AWS::IAM::AccessKey 函数获取 Fn::GetAtt 资源的私有密钥。检索密钥的一种方式是将其放入 Output 值中。您可使用 Ref 函数获取访问密钥。以下 Output 值声明获取 myaccesskey 的访问密钥和私有密钥。

JSON

"AccessKeyformyaccesskey" : { "Value" : { "Ref" : "myaccesskey" } }, "SecretKeyformyaccesskey" : { "Value" : { "Fn::GetAtt" : [ "myaccesskey", "SecretAccessKey" ] } }

YAML

AccessKeyformyaccesskey: Value: !Ref myaccesskey SecretKeyformyaccesskey: Value: !GetAtt myaccesskey.SecretAccessKey

您还可以将 AWS 访问密钥和私有密钥传输给在模板中定义的 Amazon EC2 实例或自动扩缩组。以下 AWS::EC2::Instance 声明使用 UserData 属性传递 myaccesskey 资源的访问密钥和私有密钥。

JSON

"myinstance" : { "Type" : "AWS::EC2::Instance", "Properties" : { "AvailabilityZone" : "us-east-1a", "ImageId" : "ami-0ff8a91507f77f867", "UserData" : { "Fn::Base64" : { "Fn::Join" : [ "", [ "ACCESS_KEY=", { "Ref" : "myaccesskey" }, "&", "SECRET_KEY=", { "Fn::GetAtt" : [ "myaccesskey", "SecretAccessKey" ] } ] ] } } } }

YAML

myinstance: Type: AWS::EC2::Instance Properties: AvailabilityZone: "us-east-1a" ImageId: ami-0ff8a91507f77f867 UserData: Fn::Base64: !Sub "ACCESS_KEY=${myaccesskey}&SECRET_KEY=${myaccesskey.SecretAccessKey}"

声明 IAM 组资源

此代码段显示的是 AWS::IAM::Group 资源。该组有一个路径 ("/myapplication/")。可以在组中添加名为 myapppolicy 的策略文档,以允许组的用户对 Amazon SQS 队列资源 myqueue 执行所有 Amazon SQS 操作,并拒绝对 myqueue 以外的所有其他 Amazon SQS 资源进行访问。

要分配一个策略给资源,IAM 需要该资源的 Amazon 资源名称(ARN)。在此代码段中,Fn::GetAtt 函数将获取 AWS::SQS::Queue 资源队列的 ARN。

JSON

"mygroup" : { "Type" : "AWS::IAM::Group", "Properties" : { "Path" : "/myapplication/", "Policies" : [ { "PolicyName" : "myapppolicy", "PolicyDocument" : { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "sqs:*" ], "Resource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ] }, { "Effect" : "Deny", "Action" : [ "sqs:*" ], "NotResource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ] } ] } } ] } }

YAML

mygroup: Type: AWS::IAM::Group Properties: Path: "/myapplication/" Policies: - PolicyName: myapppolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sqs:* Resource: !GetAtt myqueue.Arn - Effect: Deny Action: - sqs:* NotResource: !GetAtt myqueue.Arn

将用户添加到组中

AWS::IAM::UserToGroupAddition 资源会将用户添加到组。在以下代码段中,addUserToGroup 资源将以下用户添加到名为 myexistinggroup2 的现有组中:现有用户 existinguser1 和在模板中声明为 myuser 资源的用户 AWS::IAM::User

JSON

"addUserToGroup" : { "Type" : "AWS::IAM::UserToGroupAddition", "Properties" : { "GroupName" : "myexistinggroup2", "Users" : [ "existinguser1", { "Ref" : "myuser" } ] } }

YAML

addUserToGroup: Type: AWS::IAM::UserToGroupAddition Properties: GroupName: myexistinggroup2 Users: - existinguser1 - !Ref myuser

声明 IAM policy

此代码段显示如何创建策略并使用名为 AWS::IAM::Policymypolicy 资源将该策略应用于多个组。mypolicy 资源包含一个 PolicyDocument 属性,该属性允许对 S3 存储桶 (由 ARN GetObject 表示) 中的对象执行 PutObjectPutObjectAclarn:aws:s3:::myAWSBucket 操作。mypolicy 资源将策略应用于名为 myexistinggroup1 的现有组以及在模板中声明为 AWS::IAM::Group 资源的组 mygroup。此示例显示如何使用 Groups 属性将策略应用于组;但您也可以使用 Users 属性将策略文档添加到用户列表。

重要

在 AWS::IAM::Policy 资源中声明的 Amazon SNS 策略操作与在 AWS::SNS::TopicPolicy 资源中声明的 Amazon SNS 主题策略操作不同。例如,策略操作 sns:Unsubscribesns:SetSubscriptionAttributesAWS::IAM::Policy 资源有效,但对 AWS::SNS::TopicPolicy 资源无效。有关与 AWS::IAM::Policy 资源一起使用的有效 Amazon SNS 策略的更多信息,请参阅《Amazon Simple Notification Service 开发人员指南》中的 Amazon SNS 策略的特殊信息

JSON

"mypolicy" : { "Type" : "AWS::IAM::Policy", "Properties" : { "PolicyName" : "mygrouppolicy", "PolicyDocument" : { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "s3:GetObject" , "s3:PutObject" , "s3:PutObjectAcl" ], "Resource" : "arn:aws:s3:::myAWSBucket/*" } ] }, "Groups" : [ "myexistinggroup1", { "Ref" : "mygroup" } ] } }

YAML

mypolicy: Type: AWS::IAM::Policy Properties: PolicyName: mygrouppolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:GetObject - s3:PutObject - s3:PutObjectAcl Resource: arn:aws:s3:::myAWSBucket/* Groups: - myexistinggroup1 - !Ref mygroup

声明 Amazon S3 存储桶策略

此代码段说明如何创建策略并将其应用于使用 AWS::S3::BucketPolicy 资源的 Amazon S3 存储桶。mybucketpolicy 资源声明一个策略文档,以允许 user1 IAM 用户对应用了该策略的 S3 存储桶中的所有对象执行 GetObject 操作。在此代码段中,Fn::GetAtt 函数将获取 user1 资源的 ARN。mybucketpolicy 资源将此策略应用于 AWS::S3::BucketPolicy 资源 mybucket。Refmybucket function 获取 资源的存储桶名称。

JSON

"mybucketpolicy" : { "Type" : "AWS::S3::BucketPolicy", "Properties" : { "PolicyDocument" : { "Id" : "MyPolicy", "Version": "2012-10-17", "Statement" : [ { "Sid" : "ReadAccess", "Action" : [ "s3:GetObject" ], "Effect" : "Allow", "Resource" : { "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "mybucket" } , "/*" ] ] }, "Principal" : { "AWS" : { "Fn::GetAtt" : [ "user1", "Arn" ] } } } ] }, "Bucket" : { "Ref" : "mybucket" } } }

YAML

mybucketpolicy: Type: AWS::S3::BucketPolicy Properties: PolicyDocument: Id: MyPolicy Version: '2012-10-17' Statement: - Sid: ReadAccess Action: - s3:GetObject Effect: Allow Resource: !Sub "arn:aws:s3:::${mybucket}/*" Principal: AWS: !GetAtt user1.Arn Bucket: !Ref mybucket

声明 Amazon SNS 主题策略

此代码段说明如何创建策略并将其应用于使用 AWS::SNS::TopicPolicy 资源的 Amazon SNS 主题。mysnspolicy 资源包含一个 PolicyDocument 属性,该属性允许 AWS::IAM::User 资源 myuserPublish 资源 AWS::SNS::Topic 执行 mytopic 操作。在此代码段中,Fn::GetAtt 函数将获取 myuser 资源的 ARN,而 Ref 函数将获取 mytopic 资源的 ARN。

重要

在 AWS::IAM::Policy 资源中声明的 Amazon SNS 策略操作与在 AWS::SNS::TopicPolicy 资源中声明的 Amazon SNS 主题策略操作不同。例如,策略操作 sns:Unsubscribesns:SetSubscriptionAttributesAWS::IAM::Policy 资源有效,但对 AWS::SNS::TopicPolicy 资源无效。有关与 AWS::IAM::Policy 资源一起使用的有效 Amazon SNS 策略的更多信息,请参阅《Amazon Simple Notification Service 开发人员指南》中的 Amazon SNS 策略的特殊信息

JSON

"mysnspolicy" : { "Type" : "AWS::SNS::TopicPolicy", "Properties" : { "PolicyDocument" : { "Id" : "MyTopicPolicy", "Version" : "2012-10-17", "Statement" : [ { "Sid" : "My-statement-id", "Effect" : "Allow", "Principal" : { "AWS" : { "Fn::GetAtt" : [ "myuser", "Arn" ] } }, "Action" : "sns:Publish", "Resource" : "*" } ] }, "Topics" : [ { "Ref" : "mytopic" } ] } }

YAML

mysnspolicy: Type: AWS::SNS::TopicPolicy Properties: PolicyDocument: Id: MyTopicPolicy Version: '2012-10-17' Statement: - Sid: My-statement-id Effect: Allow Principal: AWS: !GetAtt myuser.Arn Action: sns:Publish Resource: "*" Topics: - !Ref mytopic

声明 Amazon SQS 策略

该代码段说明如何使用 AWS::SQS::QueuePolicy 资源创建策略并将其应用于 Amazon SQS 队列。PolicyDocument 属性可使现有用户 myapp(由其 ARN 指定)对现有队列(按其 URL 指定)和 SendMessage 资源 myqueue 执行 AWS::SQS::Queue 操作。Ref 函数获取 资源的 URL。myqueue

JSON

"mysqspolicy" : { "Type" : "AWS::SQS::QueuePolicy", "Properties" : { "PolicyDocument" : { "Id" : "MyQueuePolicy", "Version" : "2012-10-17", "Statement" : [ { "Sid" : "Allow-User-SendMessage", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::123456789012:user/myapp" }, "Action" : [ "sqs:SendMessage" ], "Resource" : "*" } ] }, "Queues" : [ "https://sqs.us-east-2aws-region.amazonaws.com/123456789012/myexistingqueue", { "Ref" : "myqueue" } ] } }

YAML

mysqspolicy: Type: AWS::SQS::QueuePolicy Properties: PolicyDocument: Id: MyQueuePolicy Version: '2012-10-17' Statement: - Sid: Allow-User-SendMessage Effect: Allow Principal: AWS: arn:aws:iam::123456789012:user/myapp Action: - sqs:SendMessage Resource: "*" Queues: - https://sqs.aws-region.amazonaws.com/123456789012/myexistingqueue - !Ref myqueue

IAM 角色模板示例

本部分提供 EC2 实例之 IAM 角色的 CloudFormation 模板示例。

有关 IAM 角色的更多信息,请参阅《AWS Identity and Access Management 用户指南》中的使用角色

带 EC2 的 IAM 角色

在此示例中,实例配置文件由 EC2 实例的 IamInstanceProfile 属性引用。实例策略和角色策略都引用 AWS::IAM::Role

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "myEC2Instance": { "Type": "AWS::EC2::Instance", "Version": "2009-05-15", "Properties": { "ImageId": "ami-0ff8a91507f77f867", "InstanceType": "m1.small", "Monitoring": "true", "DisableApiTermination": "false", "IamInstanceProfile": { "Ref": "RootInstanceProfile" } } }, "RootRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/" } }, "RolePolicies": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "root", "PolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }, "Roles": [ { "Ref": "RootRole" } ] } }, "RootInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [ { "Ref": "RootRole" } ] } } } }

YAML

AWSTemplateFormatVersion: '2010-09-09' Resources: myEC2Instance: Type: AWS::EC2::Instance Version: '2009-05-15' Properties: ImageId: ami-0ff8a91507f77f867 InstanceType: m1.small Monitoring: 'true' DisableApiTermination: 'false' IamInstanceProfile: !Ref RootInstanceProfile RootRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: "/" RolePolicies: Type: AWS::IAM::Policy Properties: PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: "*" Resource: "*" Roles: - !Ref RootRole RootInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - !Ref RootRole

带 AutoScaling 组的 IAM 角色

在此示例中,实例配置文件由自动扩缩组启动配置的 IamInstanceProfile 属性引用。

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "myLCOne": { "Type": "AWS::AutoScaling::LaunchConfiguration", "Version": "2009-05-15", "Properties": { "ImageId": "ami-0ff8a91507f77f867", "InstanceType": "m1.small", "InstanceMonitoring": "true", "IamInstanceProfile": { "Ref": "RootInstanceProfile" } } }, "myASGrpOne": { "Type": "AWS::AutoScaling::AutoScalingGroup", "Version": "2009-05-15", "Properties": { "AvailabilityZones": [ "us-east-1a" ], "LaunchConfigurationName": { "Ref": "myLCOne" }, "MinSize": "0", "MaxSize": "0", "HealthCheckType": "EC2", "HealthCheckGracePeriod": "120" } }, "RootRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/" } }, "RolePolicies": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "root", "PolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }, "Roles": [ { "Ref": "RootRole" } ] } }, "RootInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [ { "Ref": "RootRole" } ] } } } }

YAML

AWSTemplateFormatVersion: '2010-09-09' Resources: myLCOne: Type: AWS::AutoScaling::LaunchConfiguration Version: '2009-05-15' Properties: ImageId: ami-0ff8a91507f77f867 InstanceType: m1.small InstanceMonitoring: 'true' IamInstanceProfile: !Ref RootInstanceProfile myASGrpOne: Type: AWS::AutoScaling::AutoScalingGroup Version: '2009-05-15' Properties: AvailabilityZones: - "us-east-1a" LaunchConfigurationName: !Ref myLCOne MinSize: '0' MaxSize: '0' HealthCheckType: EC2 HealthCheckGracePeriod: '120' RootRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: "/" RolePolicies: Type: AWS::IAM::Policy Properties: PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: "*" Resource: "*" Roles: - !Ref RootRole RootInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - !Ref RootRole