问题描述
我有以下 Cloudformation YAML,它在 UserRootAccount 中创建一个角色,也在非 UserRootAccount 帐户中创建一个角色,并允许 UserRootAccount 在这些子帐户中担任角色。
问题是无法控制堆栈实例运行的帐户顺序。
如果第一个运行的账户恰好是 UserRootAccount 那么它工作正常,但如果 AWS 选择任何其他账户首先运行它会失败并出现错误
ResourceLogicalId:EbsSnapshotAgeReportingLambdaRole、ResourceType:AWS::IAM::Role、ResourceStatusReason:策略中的主体无效:
我可以看到有一种方法可以指定区域的顺序,但这并没有帮助,因为我们的主帐户和子帐户都在同一区域运行堆栈实例。
有什么办法可以指定帐户的顺序吗?
目前,我检查 list_stack_instances 中是否存在 item['StatusReason'] 中包含“Invalid principal in policy”的类型错误,如果它是从不等于主帐户的帐户抛出的,我会不断重试直到它选择主帐户先更新然后完成,但这太糟糕了。
Description: "Deployment testing"
Parameters:
UserRootAccount:
Type: String
MinLength: 12
MaxLength: 12
Default: "000000000000" # DO NOT CHANGE
AllowedPattern: "[0-9]{12}"
Description: AWS account serving as root account
Conditions:
IsNotMgmtAccount: !Not [!Equals [ !Ref "AWS::AccountId",!Ref UserRootAccount ]]
IsMgmtAccount: !Equals [ !Ref "AWS::AccountId",!Ref UserRootAccount ]
Resources:
RootEbsSnapshotAgeReportingLambdaRole:
Type: AWS::IAM::Role
Condition: IsMgmtAccount
Properties:
RoleName: 'test-old-snapshots-managment-role-16'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Policies:
-
PolicyName: 'snapshot-age-role-policy'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'logs:CreateLogStream'
- 'ec2:DescribeRegions'
- 'ec2:DescribeVolumes'
- 'ebs:ListSnapshotBlocks'
- 'ec2:DescribeSnapshots'
- 'logs:CreateLogGroup'
- 'logs:PutLogEvents'
- 'ebs:ListChangedBlocks'
- 'ebs:GetSnapshotBlock'
Resource: '*'
-
PolicyName: 'sts-snapshot-age-role-policy'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'sts:AssumeRole'
Resource: 'arn:aws:iam::*:role/test-old-snapshots-role'
EbsSnapshotAgeReportingLambdaRole:
Type: AWS::IAM::Role
Condition: IsNotMgmtAccount
Properties:
RoleName: 'test-old-snapshots-role'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Principal:
AWS:
- !Sub 'arn:aws:iam::${UserRootAccount}:role/test-old-snapshots-managment-role-16'
Action:
- sts:AssumeRole
Policies:
-
PolicyName: 'snapshot-age-role-policy'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'logs:CreateLogStream'
- 'ec2:DescribeRegions'
- 'ec2:DescribeVolumes'
- 'ebs:ListSnapshotBlocks'
- 'ec2:DescribeSnapshots'
- 'logs:CreateLogGroup'
- 'logs:PutLogEvents'
- 'ebs:ListChangedBlocks'
- 'ebs:GetSnapshotBlock'
Resource: '*'```
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)