本部分包含 AWS Identity and Access Management 模板代码段。
主题
重要
使用包含 IAM 资源的模板创建或更新堆栈时,您必须确认 IAM 功能的使用。有关更多信息,请参阅 确认 CloudFormation 模板中的 IAM 资源。
声明 IAM 用户资源
此代码段显示如何声明 AWS::IAM::User 资源以创建 IAM 用户。此用户使用路径 "/" 和密码为 myP@ssW0rd 的登录配置文件进行声明。
名为 giveaccesstoqueueonly 的策略文档为用户授予权限以对 Amazon SQS 队列资源 myqueue 执行所有 Amazon SQS 操作,并拒绝对所有其他 Amazon SQS 队列资源进行访问。Fn::GetAtt 函数将获取 AWS::SQS::Queue 资源 myqueue 的 Arn 属性。
可以在用户中添加名为 giveaccesstotopiconly 的策略文档,以便为用户授予权限以对 Amazon SNS 主题资源 mytopic 执行所有 Amazon SNS 操作,并拒绝对所有其他 Amazon SNS 资源进行访问。Ref 函数将获取 AWS::SNS::Topic 资源 mytopic 的 ARN。
JSON
"myuser" : {
"Type" : "AWS::IAM::User",
"Properties" : {
"Path" : "/",
"LoginProfile" : {
"Password" : "myP@ssW0rd"
},
"Policies" : [ {
"PolicyName" : "giveaccesstoqueueonly",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sqs:*" ],
"Resource" : [ {
"Fn::GetAtt" : [ "myqueue", "Arn" ]
} ]
}, {
"Effect" : "Deny",
"Action" : [ "sqs:*" ],
"NotResource" : [ {
"Fn::GetAtt" : [ "myqueue", "Arn" ]
} ]
}
] }
}, {
"PolicyName" : "giveaccesstotopiconly",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sns:*" ],
"Resource" : [ { "Ref" : "mytopic" } ]
}, {
"Effect" : "Deny",
"Action" : [ "sns:*" ],
"NotResource" : [ { "Ref" : "mytopic" } ]
} ]
}
} ]
}
} YAML
myuser:
Type: AWS::IAM::User
Properties:
Path: "/"
LoginProfile:
Password: myP@ssW0rd
Policies:
- PolicyName: giveaccesstoqueueonly
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:*
Resource:
- !GetAtt myqueue.Arn
- Effect: Deny
Action:
- sqs:*
NotResource:
- !GetAtt myqueue.Arn
- PolicyName: giveaccesstotopiconly
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sns:*
Resource:
- !Ref mytopic
- Effect: Deny
Action:
- sns:*
NotResource:
- !Ref mytopic声明 IAM 访问密钥资源
此代码段显示的是 AWS::IAM::AccessKey 资源。myaccesskey 资源创建访问密钥并将其分配给在模板中声明为 AWS::IAM::User 资源的 IAM 用户。
JSON
"myaccesskey" : {
"Type" : "AWS::IAM::AccessKey",
"Properties" : {
"UserName" : { "Ref" : "myuser" }
}
} YAML
myaccesskey:
Type: AWS::IAM::AccessKey
Properties:
UserName:
!Ref myuser您可使用 AWS::IAM::AccessKey 函数获取 Fn::GetAtt 资源的私有密钥。检索密钥的一种方式是将其放入 Output 值中。您可使用 Ref 函数获取访问密钥。以下 Output 值声明获取 myaccesskey 的访问密钥和私有密钥。
JSON
"AccessKeyformyaccesskey" : {
"Value" : { "Ref" : "myaccesskey" }
},
"SecretKeyformyaccesskey" : {
"Value" : {
"Fn::GetAtt" : [ "myaccesskey", "SecretAccessKey" ]
}
} YAML
AccessKeyformyaccesskey:
Value:
!Ref myaccesskey
SecretKeyformyaccesskey:
Value: !GetAtt myaccesskey.SecretAccessKey您还可以将 AWS 访问密钥和私有密钥传输给在模板中定义的 Amazon EC2 实例或自动扩缩组。以下 AWS::EC2::Instance 声明使用 UserData 属性传递 myaccesskey 资源的访问密钥和私有密钥。
JSON
"myinstance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"AvailabilityZone" : "us-east-1a",
"ImageId" : "ami-0ff8a91507f77f867",
"UserData" : {
"Fn::Base64" : {
"Fn::Join" : [
"", [
"ACCESS_KEY=", {
"Ref" : "myaccesskey"
},
"&",
"SECRET_KEY=",
{
"Fn::GetAtt" : [
"myaccesskey",
"SecretAccessKey"
]
}
]
]
}
}
}
} YAML
myinstance:
Type: AWS::EC2::Instance
Properties:
AvailabilityZone: "us-east-1a"
ImageId: ami-0ff8a91507f77f867
UserData:
Fn::Base64: !Sub "ACCESS_KEY=${myaccesskey}&SECRET_KEY=${myaccesskey.SecretAccessKey}"声明 IAM 组资源
此代码段显示的是 AWS::IAM::Group 资源。该组有一个路径 ("/myapplication/")。可以在组中添加名为 myapppolicy 的策略文档,以允许组的用户对 Amazon SQS 队列资源 myqueue 执行所有 Amazon SQS 操作,并拒绝对 myqueue 以外的所有其他 Amazon SQS 资源进行访问。
要分配一个策略给资源,IAM 需要该资源的 Amazon 资源名称(ARN)。在此代码段中,Fn::GetAtt 函数将获取 AWS::SQS::Queue 资源队列的 ARN。
JSON
"mygroup" : {
"Type" : "AWS::IAM::Group",
"Properties" : {
"Path" : "/myapplication/",
"Policies" : [ {
"PolicyName" : "myapppolicy",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sqs:*" ],
"Resource" : [ {
"Fn::GetAtt" : [ "myqueue", "Arn" ]
} ]
},
{
"Effect" : "Deny",
"Action" : [ "sqs:*" ],
"NotResource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ]
}
] }
} ]
}
}YAML
mygroup:
Type: AWS::IAM::Group
Properties:
Path: "/myapplication/"
Policies:
- PolicyName: myapppolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:*
Resource: !GetAtt myqueue.Arn
- Effect: Deny
Action:
- sqs:*
NotResource: !GetAtt myqueue.Arn将用户添加到组中
AWS::IAM::UserToGroupAddition 资源会将用户添加到组。在以下代码段中,addUserToGroup 资源将以下用户添加到名为 myexistinggroup2 的现有组中:现有用户 existinguser1 和在模板中声明为 myuser 资源的用户 AWS::IAM::User。
JSON
"addUserToGroup" : {
"Type" : "AWS::IAM::UserToGroupAddition",
"Properties" : {
"GroupName" : "myexistinggroup2",
"Users" : [ "existinguser1", { "Ref" : "myuser" } ]
}
}YAML
addUserToGroup:
Type: AWS::IAM::UserToGroupAddition
Properties:
GroupName: myexistinggroup2
Users:
- existinguser1
- !Ref myuser声明 IAM policy
此代码段显示如何创建策略并使用名为 AWS::IAM::Policy 的 mypolicy 资源将该策略应用于多个组。mypolicy 资源包含一个 PolicyDocument 属性,该属性允许对 S3 存储桶 (由 ARN GetObject 表示) 中的对象执行 PutObject、PutObjectAcl 和 arn:aws:s3:::myAWSBucket 操作。mypolicy 资源将策略应用于名为 myexistinggroup1 的现有组以及在模板中声明为 AWS::IAM::Group 资源的组 mygroup。此示例显示如何使用 Groups 属性将策略应用于组;但您也可以使用 Users 属性将策略文档添加到用户列表。
重要
在 AWS::IAM::Policy 资源中声明的 Amazon SNS 策略操作与在 AWS::SNS::TopicPolicy 资源中声明的 Amazon SNS 主题策略操作不同。例如,策略操作 sns:Unsubscribe 和 sns:SetSubscriptionAttributes 对 AWS::IAM::Policy 资源有效,但对 AWS::SNS::TopicPolicy 资源无效。有关与 AWS::IAM::Policy 资源一起使用的有效 Amazon SNS 策略的更多信息,请参阅《Amazon Simple Notification Service 开发人员指南》中的 Amazon SNS 策略的特殊信息。
JSON
"mypolicy" : {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "mygrouppolicy",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [
"s3:GetObject" , "s3:PutObject" , "s3:PutObjectAcl" ],
"Resource" : "arn:aws:s3:::myAWSBucket/*"
} ]
},
"Groups" : [ "myexistinggroup1", { "Ref" : "mygroup" } ]
}
}YAML
mypolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: mygrouppolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:PutObjectAcl
Resource: arn:aws:s3:::myAWSBucket/*
Groups:
- myexistinggroup1
- !Ref mygroup声明 Amazon S3 存储桶策略
此代码段说明如何创建策略并将其应用于使用 AWS::S3::BucketPolicy 资源的 Amazon S3 存储桶。mybucketpolicy 资源声明一个策略文档,以允许 user1 IAM 用户对应用了该策略的 S3 存储桶中的所有对象执行 GetObject 操作。在此代码段中,Fn::GetAtt 函数将获取 user1 资源的 ARN。mybucketpolicy 资源将此策略应用于 AWS::S3::BucketPolicy 资源 mybucket。Refmybucket function 获取 资源的存储桶名称。
JSON
"mybucketpolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyPolicy",
"Version": "2012-10-17",
"Statement" : [ {
"Sid" : "ReadAccess",
"Action" : [ "s3:GetObject" ],
"Effect" : "Allow",
"Resource" : { "Fn::Join" : [
"", [ "arn:aws:s3:::", { "Ref" : "mybucket" } , "/*" ]
] },
"Principal" : {
"AWS" : { "Fn::GetAtt" : [ "user1", "Arn" ] }
}
} ]
},
"Bucket" : { "Ref" : "mybucket" }
}
}YAML
mybucketpolicy:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Id: MyPolicy
Version: '2012-10-17'
Statement:
- Sid: ReadAccess
Action:
- s3:GetObject
Effect: Allow
Resource: !Sub "arn:aws:s3:::${mybucket}/*"
Principal:
AWS: !GetAtt user1.Arn
Bucket: !Ref mybucket声明 Amazon SNS 主题策略
此代码段说明如何创建策略并将其应用于使用 AWS::SNS::TopicPolicy 资源的 Amazon SNS 主题。mysnspolicy 资源包含一个 PolicyDocument 属性,该属性允许 AWS::IAM::User 资源 myuser 对 Publish 资源 AWS::SNS::Topic 执行 mytopic 操作。在此代码段中,Fn::GetAtt 函数将获取 myuser 资源的 ARN,而 Ref 函数将获取 mytopic 资源的 ARN。
重要
在 AWS::IAM::Policy 资源中声明的 Amazon SNS 策略操作与在 AWS::SNS::TopicPolicy 资源中声明的 Amazon SNS 主题策略操作不同。例如,策略操作 sns:Unsubscribe 和 sns:SetSubscriptionAttributes 对 AWS::IAM::Policy 资源有效,但对 AWS::SNS::TopicPolicy 资源无效。有关与 AWS::IAM::Policy 资源一起使用的有效 Amazon SNS 策略的更多信息,请参阅《Amazon Simple Notification Service 开发人员指南》中的 Amazon SNS 策略的特殊信息。
JSON
"mysnspolicy" : {
"Type" : "AWS::SNS::TopicPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyTopicPolicy",
"Version" : "2012-10-17",
"Statement" : [ {
"Sid" : "My-statement-id",
"Effect" : "Allow",
"Principal" : {
"AWS" : { "Fn::GetAtt" : [ "myuser", "Arn" ] }
},
"Action" : "sns:Publish",
"Resource" : "*"
} ]
},
"Topics" : [ { "Ref" : "mytopic" } ]
}
}YAML
mysnspolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: MyTopicPolicy
Version: '2012-10-17'
Statement:
- Sid: My-statement-id
Effect: Allow
Principal:
AWS: !GetAtt myuser.Arn
Action: sns:Publish
Resource: "*"
Topics:
- !Ref mytopic声明 Amazon SQS 策略
该代码段说明如何使用 AWS::SQS::QueuePolicy 资源创建策略并将其应用于 Amazon SQS 队列。PolicyDocument 属性可使现有用户 myapp(由其 ARN 指定)对现有队列(按其 URL 指定)和 SendMessage 资源 myqueue 执行 AWS::SQS::Queue 操作。Ref 函数获取 资源的 URL。myqueue
JSON
"mysqspolicy" : {
"Type" : "AWS::SQS::QueuePolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyQueuePolicy",
"Version" : "2012-10-17",
"Statement" : [ {
"Sid" : "Allow-User-SendMessage",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::123456789012:user/myapp"
},
"Action" : [ "sqs:SendMessage" ],
"Resource" : "*"
} ]
},
"Queues" : [
"https://sqs.us-east-2aws-region.amazonaws.com/123456789012/myexistingqueue",
{ "Ref" : "myqueue" }
]
}
}YAML
mysqspolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Id: MyQueuePolicy
Version: '2012-10-17'
Statement:
- Sid: Allow-User-SendMessage
Effect: Allow
Principal:
AWS: arn:aws:iam::123456789012:user/myapp
Action:
- sqs:SendMessage
Resource: "*"
Queues:
- https://sqs.aws-region.amazonaws.com/123456789012/myexistingqueue
- !Ref myqueueIAM 角色模板示例
本部分提供 EC2 实例之 IAM 角色的 CloudFormation 模板示例。
有关 IAM 角色的更多信息,请参阅《AWS Identity and Access Management 用户指南》中的使用角色。
带 EC2 的 IAM 角色
在此示例中,实例配置文件由 EC2 实例的 IamInstanceProfile 属性引用。实例策略和角色策略都引用 AWS::IAM::Role。
JSON
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myEC2Instance": {
"Type": "AWS::EC2::Instance",
"Version": "2009-05-15",
"Properties": {
"ImageId": "ami-0ff8a91507f77f867",
"InstanceType": "m1.small",
"Monitoring": "true",
"DisableApiTermination": "false",
"IamInstanceProfile": {
"Ref": "RootInstanceProfile"
}
}
},
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"Path": "/"
}
},
"RolePolicies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
},
"Roles": [ { "Ref": "RootRole" } ]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ { "Ref": "RootRole" } ]
}
}
}
}YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myEC2Instance:
Type: AWS::EC2::Instance
Version: '2009-05-15'
Properties:
ImageId: ami-0ff8a91507f77f867
InstanceType: m1.small
Monitoring: 'true'
DisableApiTermination: 'false'
IamInstanceProfile:
!Ref RootInstanceProfile
RootRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
RolePolicies:
Type: AWS::IAM::Policy
Properties:
PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: "*"
Resource: "*"
Roles:
- !Ref RootRole
RootInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- !Ref RootRole带 AutoScaling 组的 IAM 角色
在此示例中,实例配置文件由自动扩缩组启动配置的 IamInstanceProfile 属性引用。
JSON
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myLCOne": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Version": "2009-05-15",
"Properties": {
"ImageId": "ami-0ff8a91507f77f867",
"InstanceType": "m1.small",
"InstanceMonitoring": "true",
"IamInstanceProfile": { "Ref": "RootInstanceProfile" }
}
},
"myASGrpOne": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"Version": "2009-05-15",
"Properties": {
"AvailabilityZones": [ "us-east-1a" ],
"LaunchConfigurationName": { "Ref": "myLCOne" },
"MinSize": "0",
"MaxSize": "0",
"HealthCheckType": "EC2",
"HealthCheckGracePeriod": "120"
}
},
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"Path": "/"
}
},
"RolePolicies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
},
"Roles": [ { "Ref": "RootRole" } ]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ { "Ref": "RootRole" } ]
}
}
}
} YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myLCOne:
Type: AWS::AutoScaling::LaunchConfiguration
Version: '2009-05-15'
Properties:
ImageId: ami-0ff8a91507f77f867
InstanceType: m1.small
InstanceMonitoring: 'true'
IamInstanceProfile:
!Ref RootInstanceProfile
myASGrpOne:
Type: AWS::AutoScaling::AutoScalingGroup
Version: '2009-05-15'
Properties:
AvailabilityZones:
- "us-east-1a"
LaunchConfigurationName:
!Ref myLCOne
MinSize: '0'
MaxSize: '0'
HealthCheckType: EC2
HealthCheckGracePeriod: '120'
RootRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
RolePolicies:
Type: AWS::IAM::Policy
Properties:
PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: "*"
Resource: "*"
Roles:
- !Ref RootRole
RootInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- !Ref RootRole