本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS Identity and Access Management 範本片段
本節包含 AWS Identity and Access Management 模板片段。
主題
重要
使用包含IAM資源的範本建立或更新堆疊時,您必須確認IAM功能的使用。如需有關在範本中使用IAM資源的詳細資訊,請參閱控制存取 AWS Identity and Access Management。
宣告 IAM 使用者資源
此程式碼片段顯示如何宣告AWS::IAM::User資源以建立IAM使用者。使用者會使用路徑 ("/") 宣告,登入描述檔則會使用密碼 (myP@ssW0rd) 宣告。
名為的政策文件授giveaccesstoqueueonly予使用者在 Amazon SQS 佇列資源上執行所有 Amazon SQS 動作的權限myqueue,並拒絕存取所有其他 Amazon SQS 佇列資源。Fn::GetAtt 函數會取得 AWS::SQS::Queue 資源 myqueue 的 Arn 屬性。
名giveaccesstotopiconly為的政策文件會新增至使用者,以授予使用者在 Amazon SNS 主題資源上執行所有 Amazon SNS 動作的權限,以mytopic及拒絕存取所有其他 Amazon SNS 資源。該Ref函數獲取ARN資AWS::SNS::Topic源的mytopic。
JSON
"myuser" : { "Type" : "AWS::IAM::User", "Properties" : { "Path" : "/", "LoginProfile" : { "Password" : "myP@ssW0rd" }, "Policies" : [ { "PolicyName" : "giveaccesstoqueueonly", "PolicyDocument" : { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "sqs:*" ], "Resource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ] }, { "Effect" : "Deny", "Action" : [ "sqs:*" ], "NotResource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ] } ] } }, { "PolicyName" : "giveaccesstotopiconly", "PolicyDocument" : { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "sns:*" ], "Resource" : [ { "Ref" : "mytopic" } ] }, { "Effect" : "Deny", "Action" : [ "sns:*" ], "NotResource" : [ { "Ref" : "mytopic" } ] } ] } } ] } }
YAML
myuser: Type: AWS::IAM::User Properties: Path: "/" LoginProfile: Password: myP@ssW0rd Policies: - PolicyName: giveaccesstoqueueonly PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sqs:* Resource: - !GetAtt myqueue.Arn - Effect: Deny Action: - sqs:* NotResource: - !GetAtt myqueue.Arn - PolicyName: giveaccesstotopiconly PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sns:* Resource: - !Ref mytopic - Effect: Deny Action: - sns:* NotResource: - !Ref mytopic
宣告一個 IAM 存取金鑰資源
此程式碼片段顯示一個 AWS::IAM::AccessKey 資源。資myaccesskey源會建立存取金鑰,並將其指派給在範本中宣告為AWS::IAM::User資源的IAM使用者。
JSON
"myaccesskey" : { "Type" : "AWS::IAM::AccessKey", "Properties" : { "UserName" : { "Ref" : "myuser" } } }
YAML
myaccesskey: Type: AWS::IAM::AccessKey Properties: UserName: !Ref myuser
您可以使用 AWS::IAM::AccessKey 函數取得 Fn::GetAtt 資源的秘密金鑰。擷取秘密金鑰的其中一個方法,便是將其放入 Output 值中。您可以使用 Ref 函數取得存取金鑰。以下 Output 值宣告會取得 myaccesskey 的存取金鑰和秘密金鑰。
JSON
"AccessKeyformyaccesskey" : { "Value" : { "Ref" : "myaccesskey" } }, "SecretKeyformyaccesskey" : { "Value" : { "Fn::GetAtt" : [ "myaccesskey", "SecretAccessKey" ] } }
YAML
AccessKeyformyaccesskey: Value: !Ref myaccesskey SecretKeyformyaccesskey: Value: !GetAtt myaccesskey.SecretAccessKey
您也可以將 AWS 存取金鑰和私密金鑰傳遞給範本中定義的 Amazon EC2 執行個體或 Auto Scaling 群組。下列 AWS::EC2::Instance 宣告使用 UserData 屬性傳遞 myaccesskey 資源的存取金鑰和秘密金鑰。
JSON
"myinstance" : { "Type" : "AWS::EC2::Instance", "Properties" : { "AvailabilityZone" : "us-east-1a", "ImageId" : "ami-0ff8a91507f77f867", "UserData" : { "Fn::Base64" : { "Fn::Join" : [ "", [ "ACCESS_KEY=", { "Ref" : "myaccesskey" }, "&", "SECRET_KEY=", { "Fn::GetAtt" : [ "myaccesskey", "SecretAccessKey" ] } ] ] } } } }
YAML
myinstance: Type: AWS::EC2::Instance Properties: AvailabilityZone: "us-east-1a" ImageId: ami-0ff8a91507f77f867 UserData: Fn::Base64: !Sub "ACCESS_KEY=${myaccesskey}&SECRET_KEY=${myaccesskey.SecretAccessKey}"
宣告 IAM 群組資源
此程式碼片段顯示一個 AWS::IAM::Group 資源。群組具有路徑 ("/myapplication/")。名myapppolicy為的政策文件會新增至群組,以允許群組的使用者在 Amazon SQS 佇列資源 myqueue 上執行所有 Amazon SQS 動作,並拒絕存取除外myqueue的所有其他 Amazon SQS 資源。
若要將政策指派給資源,IAM需要資源的 Amazon 資源名稱 (ARN)。在程式碼片段中,Fn::GetAtt函式會取得ARN資AWS::SQS::Queue源佇列的。
JSON
"mygroup" : { "Type" : "AWS::IAM::Group", "Properties" : { "Path" : "/myapplication/", "Policies" : [ { "PolicyName" : "myapppolicy", "PolicyDocument" : { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "sqs:*" ], "Resource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ] }, { "Effect" : "Deny", "Action" : [ "sqs:*" ], "NotResource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ] } ] } } ] } }
YAML
mygroup: Type: AWS::IAM::Group Properties: Path: "/myapplication/" Policies: - PolicyName: myapppolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sqs:* Resource: !GetAtt myqueue.Arn - Effect: Deny Action: - sqs:* NotResource: !GetAtt myqueue.Arn
將使用者新增至群組
AWS::IAM::UserToGroupAddition 資源會將使用者新增至群組。在以下程式碼片段中,addUserToGroup 資源會將下列使用者新增到名為 myexistinggroup2 的現有群組:現有使用者 existinguser1 和在範本中已宣告為 myuser 資源的使用者 AWS::IAM::User。
JSON
"addUserToGroup" : { "Type" : "AWS::IAM::UserToGroupAddition", "Properties" : { "GroupName" : "myexistinggroup2", "Users" : [ "existinguser1", { "Ref" : "myuser" } ] } }
YAML
addUserToGroup: Type: AWS::IAM::UserToGroupAddition Properties: GroupName: myexistinggroup2 Users: - existinguser1 - !Ref myuser
宣告 IAM 政策
此程式碼片段會示範如何使用名為 AWS::IAM::Policy 的 mypolicy 資源建立政策,並將其套用到多個群組。資mypolicy源包含一個PolicyDocument屬性 GetObjectPutObject,允許對 S3 儲存貯體中的物件PutObjectAcl執行、和動作 (由 ARNarn:aws:s3:::myAWSBucket. mypolicy 資源會將政策套用至名為 myexistinggroup1 的現有群組,以及已在範本中宣告為 AWS::IAM::Group 資源的 mygroup 群組。此範例會示範如何使用 Groups 屬性將政策套用至群組。但是,您也可以改為使用 Users 屬性,將政策文件新增至使用者清單。
重要
資源中宣告的 Amazon SNS 政策動作與AWS::IAM::Policy資源中宣告的 Amazon SNS 主題政策動作不同。AWS::SNS::TopicPolicy例如,政策動作 sns:Unsubscribe 和 sns:SetSubscriptionAttributes 對 AWS::IAM::Policy 資源有效,但對 AWS::SNS::TopicPolicy 資源無效。如需可與資源搭配使用的有效 Amazon SNS 政策動作的詳細AWS::IAM::Policy資訊,請參閱 Amazon 簡單通知服務開發人員指南中的 Amazon 政SNS策特殊資訊。
JSON
"mypolicy" : { "Type" : "AWS::IAM::Policy", "Properties" : { "PolicyName" : "mygrouppolicy", "PolicyDocument" : { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "s3:GetObject" , "s3:PutObject" , "s3:PutObjectAcl" ], "Resource" : "arn:aws:s3:::myAWSBucket/*" } ] }, "Groups" : [ "myexistinggroup1", { "Ref" : "mygroup" } ] } }
YAML
mypolicy: Type: AWS::IAM::Policy Properties: PolicyName: mygrouppolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:GetObject - s3:PutObject - s3:PutObjectAcl Resource: arn:aws:s3:::myAWSBucket/* Groups: - myexistinggroup1 - !Ref mygroup
宣告 Amazon S3 儲存貯體政策
此程式碼片段示範如何使用 AWS::S3::BucketPolicy 資源建立政策,並將其套用到 Amazon S3 儲存貯體。資mybucketpolicy源宣告政策文件,允許user1IAM使用者對套用此政策的 S3 儲存貯體中的所有物件執行GetObject動作。在程式碼片段中,Fn::GetAtt函式會取得ARN資user1源的。mybucketpolicy 資源會將政策套用到 AWS::S3::BucketPolicy 資源 mybucket。Ref 函數會取得 mybucket 資源的儲存貯體名稱。
JSON
"mybucketpolicy" : { "Type" : "AWS::S3::BucketPolicy", "Properties" : { "PolicyDocument" : { "Id" : "MyPolicy", "Version": "2012-10-17", "Statement" : [ { "Sid" : "ReadAccess", "Action" : [ "s3:GetObject" ], "Effect" : "Allow", "Resource" : { "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "mybucket" } , "/*" ] ] }, "Principal" : { "AWS" : { "Fn::GetAtt" : [ "user1", "Arn" ] } } } ] }, "Bucket" : { "Ref" : "mybucket" } } }
YAML
mybucketpolicy: Type: AWS::S3::BucketPolicy Properties: PolicyDocument: Id: MyPolicy Version: '2012-10-17' Statement: - Sid: ReadAccess Action: - s3:GetObject Effect: Allow Resource: !Sub "arn:aws:s3:::${mybucket}/*" Principal: AWS: !GetAtt user1.Arn Bucket: !Ref mybucket
聲明 Amazon SNS 主題政策
此程式碼片段說明如何使用AWS::SNS::TopicPolicy資源建立政策並將其套用至 Amazon SNS 主題。mysnspolicy 資源包含 PolicyDocument 屬性,允許 AWS::IAM::User 資源 myuser 在 Publish 資源 AWS::SNS::Topic 上執行 mytopic 動作。在代碼片段中,Fn::GetAtt函數獲取ARN資myuser源的,並且該Ref函數獲取mytopic資源的。ARN
重要
資源中宣告的 Amazon SNS 政策動作與AWS::IAM::Policy資源中宣告的 Amazon SNS 主題政策動作不同。AWS::SNS::TopicPolicy例如,政策動作 sns:Unsubscribe 和 sns:SetSubscriptionAttributes 對 AWS::IAM::Policy 資源有效,但對 AWS::SNS::TopicPolicy 資源無效。如需可與資源搭配使用的有效 Amazon SNS 政策動作的詳細AWS::IAM::Policy資訊,請參閱 Amazon 簡單通知服務開發人員指南中的 Amazon 政SNS策特殊資訊。
JSON
"mysnspolicy" : { "Type" : "AWS::SNS::TopicPolicy", "Properties" : { "PolicyDocument" : { "Id" : "MyTopicPolicy", "Version" : "2012-10-17", "Statement" : [ { "Sid" : "My-statement-id", "Effect" : "Allow", "Principal" : { "AWS" : { "Fn::GetAtt" : [ "myuser", "Arn" ] } }, "Action" : "sns:Publish", "Resource" : "*" } ] }, "Topics" : [ { "Ref" : "mytopic" } ] } }
YAML
mysnspolicy: Type: AWS::SNS::TopicPolicy Properties: PolicyDocument: Id: MyTopicPolicy Version: '2012-10-17' Statement: - Sid: My-statement-id Effect: Allow Principal: AWS: !GetAtt myuser.Arn Action: sns:Publish Resource: "*" Topics: - !Ref mytopic
聲明 Amazon 政策 SQS
此程式碼片段說明如何建立政策,並使用AWS::SQS::QueuePolicy資源將其套用至 Amazon SQS 佇列。該PolicyDocument屬性允許現有用戶myapp(由其指定ARN)對由其指定的現有隊列和AWS::SQS::Queue資源 myqueue 執行SendMessage操作。URL參考函數獲取URL的myqueue資源。
JSON
"mysqspolicy" : { "Type" : "AWS::SQS::QueuePolicy", "Properties" : { "PolicyDocument" : { "Id" : "MyQueuePolicy", "Version" : "2012-10-17", "Statement" : [ { "Sid" : "Allow-User-SendMessage", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::123456789012:user/myapp" }, "Action" : [ "sqs:SendMessage" ], "Resource" : "*" } ] }, "Queues" : [ "https://sqs.us-east-2aws-region.amazonaws.com/123456789012/myexistingqueue", { "Ref" : "myqueue" } ] } }
YAML
mysqspolicy: Type: AWS::SQS::QueuePolicy Properties: PolicyDocument: Id: MyQueuePolicy Version: '2012-10-17' Statement: - Sid: Allow-User-SendMessage Effect: Allow Principal: AWS: arn:aws:iam::123456789012:user/myapp Action: - sqs:SendMessage Resource: "*" Queues: - https://sqs.aws-region.amazonaws.com/123456789012/myexistingqueue - !Ref myqueue
IAM角色範本範例
本節提供執行處理IAM角色的 CloudFormation 範本範EC2例。
如需有關IAM角色的詳細資訊,請參閱《AWS Identity and Access Management 使用者指南》中的使用角色。
IAM角色與 EC2
在此範例中,例證縱斷面由例EC2證的IamInstanceProfile性質參考。執行個體政策和角色政策都會參考 AWS::IAM::Role。
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "myEC2Instance": { "Type": "AWS::EC2::Instance", "Version": "2009-05-15", "Properties": { "ImageId": "ami-0ff8a91507f77f867", "InstanceType": "m1.small", "Monitoring": "true", "DisableApiTermination": "false", "IamInstanceProfile": { "Ref": "RootInstanceProfile" } } }, "RootRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/" } }, "RolePolicies": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "root", "PolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }, "Roles": [ { "Ref": "RootRole" } ] } }, "RootInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [ { "Ref": "RootRole" } ] } } } }
YAML
AWSTemplateFormatVersion: '2010-09-09' Resources: myEC2Instance: Type: AWS::EC2::Instance Version: '2009-05-15' Properties: ImageId: ami-0ff8a91507f77f867 InstanceType: m1.small Monitoring: 'true' DisableApiTermination: 'false' IamInstanceProfile: !Ref RootInstanceProfile RootRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: "/" RolePolicies: Type: AWS::IAM::Policy Properties: PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: "*" Resource: "*" Roles: - !Ref RootRole RootInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - !Ref RootRole
IAM具有 AutoScaling 群組的角色
在此範例中,執行個體設定檔會由 AutoScaling 群組啟動設定的IamInstanceProfile屬性參考。
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "myLCOne": { "Type": "AWS::AutoScaling::LaunchConfiguration", "Version": "2009-05-15", "Properties": { "ImageId": "ami-0ff8a91507f77f867", "InstanceType": "m1.small", "InstanceMonitoring": "true", "IamInstanceProfile": { "Ref": "RootInstanceProfile" } } }, "myASGrpOne": { "Type": "AWS::AutoScaling::AutoScalingGroup", "Version": "2009-05-15", "Properties": { "AvailabilityZones": [ "us-east-1a" ], "LaunchConfigurationName": { "Ref": "myLCOne" }, "MinSize": "0", "MaxSize": "0", "HealthCheckType": "EC2", "HealthCheckGracePeriod": "120" } }, "RootRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/" } }, "RolePolicies": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "root", "PolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }, "Roles": [ { "Ref": "RootRole" } ] } }, "RootInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [ { "Ref": "RootRole" } ] } } } }
YAML
AWSTemplateFormatVersion: '2010-09-09' Resources: myLCOne: Type: AWS::AutoScaling::LaunchConfiguration Version: '2009-05-15' Properties: ImageId: ami-0ff8a91507f77f867 InstanceType: m1.small InstanceMonitoring: 'true' IamInstanceProfile: !Ref RootInstanceProfile myASGrpOne: Type: AWS::AutoScaling::AutoScalingGroup Version: '2009-05-15' Properties: AvailabilityZones: - "us-east-1a" LaunchConfigurationName: !Ref myLCOne MinSize: '0' MaxSize: '0' HealthCheckType: EC2 HealthCheckGracePeriod: '120' RootRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: "/" RolePolicies: Type: AWS::IAM::Policy Properties: PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: "*" Resource: "*" Roles: - !Ref RootRole RootInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - !Ref RootRole
