问题描述
我想将策略部署为资源。
resource.yml
Resources:
MyGroupPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- iam:ChangePassword
- iam:CreateLoginProfile
- iam:DeleteLoginProfile
- iam:GetAccountPasswordPolicy
- iam:GetAccountSummary
- iam:GetLoginProfile
- iam:UpdateLoginProfile
Effect: Allow
Resource:
- Ref: Param1
- Ref: Param2
- Ref: Param3
params.json
[
{
"ParameterKey": "Param1","ParameterValue": "arn:aws:iam::7777777777:user/${aws:username}"
},{
"ParameterKey": "Param2","ParameterValue": "arn:aws:iam::7777777777:mfa/*"
},{
"ParameterKey": "Param3","ParameterValue": "arn:aws:iam::7777777:mfa/${aws:username}"
}
]
部署命令
aws cloudformation create-stack --stack-name stack --template-body file://resource.yml --parameters
file://params.json --capabilities CAPABILITY_NAMED_IAM
An error occurred (ValidationError) when calling the CreateStack operation: Parameter values specified
for a template which does not require them.
解决方法
您在 Parameters
模板中缺少 resource.yml
部分,您可以在其中定义堆栈在输入方面的预期。模板实际上应如下所示:
Parameters:
Param1:
Type: String
Param2:
Type: String
Param3:
Type: String
Resources:
MyGroupPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- iam:ChangePassword
- iam:CreateLoginProfile
- iam:DeleteLoginProfile
- iam:GetAccountPasswordPolicy
- iam:GetAccountSummary
- iam:GetLoginProfile
- iam:UpdateLoginProfile
Effect: Allow
Resource:
- Ref: Param1
- Ref: Param2
- Ref: Param3