如何解决更新 AWS SSO 分配的错误

编程问答 2022-06-02

问题描述

我将 SessionDuration 属性添加AWS::SSO::PermissionSet 并运行了 CloudFormation 堆栈更新。我在 CloudFormation 控制台的 Events 部分从 CloudFormation 得到的错误

The following resource(s) Failed to update: [AssignmentGeneral].

Unable to retrieve PermissionSetArn attribute for AWS::SSO::PermissionSet,with error message READ and LIST handlers must return synchronously.

这是模板:

AWstemplateFormatVersion: '2010-09-09'
Parameters:
  InstanceArn:
    Type: String
    Default: arn:aws:sso:::instance/ssoins-1234abcdefg1234
  SessionDuration: 
    Type: String
    # PT12H = 12 hours in the ISO-8601 standard
    Default: PT12H
Resources:
  AssignmentGeneral:
    Type: AWS::SSO::Assignment
    Properties: 
      InstanceArn: !Ref InstanceArn
      PermissionSetArn: !GetAtt PermissionSetAdmin.PermissionSetArn
      PrincipalId: 123456789-1afefjil1-12345678-abcdefg-1234
      PrincipalType: GROUP
      TargetId: '1234567891'
      targettype: AWS_ACCOUNT
  PermissionSetAdmin:
    Type: AWS::SSO::PermissionSet
    Properties: 
      InstanceArn: !Ref InstanceArn
      ManagedPolicies:
        - arn:aws:iam::aws:policy/AdministratorAccess
      Name: admin
      SessionDuration: !Ref SessionDuration

我检查了 PermissionSetArn 的文档并得到:

PermissionSetArn
The ARN of the permission set.
required: Yes
Type: String
Minimum: 10
Maximum: 1224
Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}
Update requires: Replacement

来源:https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sso-assignment.html

编辑:我也尝试将 !GetAtt PermissionSetAdmin.PermissionSetArn 替换为 !GetAtt PermissionSetAdmin.Arn 但后来得到了 Requested attribute Arn does not exist in schema for AWS::SSO::PermissionSet

编辑:我联系了 AWS 支持,内部团队正在修复 API 的逻辑,以使其正常工作,我应该注意https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-sso/issues/8

解决方法

暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!

如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@)

amazon-cloudformationamazon-web-servicessingle-sign-on