问题描述
我将 SessionDuration
属性添加到 AWS::SSO::PermissionSet
并运行了 CloudFormation 堆栈更新。我在 CloudFormation 控制台的 Events 部分从 CloudFormation 得到的错误:
The following resource(s) Failed to update: [AssignmentGeneral].
Unable to retrieve PermissionSetArn attribute for AWS::SSO::PermissionSet,with error message READ and LIST handlers must return synchronously.
这是模板:
AWstemplateFormatVersion: '2010-09-09'
Parameters:
InstanceArn:
Type: String
Default: arn:aws:sso:::instance/ssoins-1234abcdefg1234
SessionDuration:
Type: String
# PT12H = 12 hours in the ISO-8601 standard
Default: PT12H
Resources:
AssignmentGeneral:
Type: AWS::SSO::Assignment
Properties:
InstanceArn: !Ref InstanceArn
PermissionSetArn: !GetAtt PermissionSetAdmin.PermissionSetArn
PrincipalId: 123456789-1afefjil1-12345678-abcdefg-1234
PrincipalType: GROUP
TargetId: '1234567891'
targettype: AWS_ACCOUNT
PermissionSetAdmin:
Type: AWS::SSO::PermissionSet
Properties:
InstanceArn: !Ref InstanceArn
ManagedPolicies:
- arn:aws:iam::aws:policy/AdministratorAccess
Name: admin
SessionDuration: !Ref SessionDuration
我检查了 PermissionSetArn
的文档并得到:
PermissionSetArn
The ARN of the permission set.
required: Yes
Type: String
Minimum: 10
Maximum: 1224
Pattern: arn:aws:sso:::permissionSet/(sso)?ins-[a-zA-Z0-9-.]{16}/ps-[a-zA-Z0-9-./]{16}
Update requires: Replacement
来源:https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sso-assignment.html
编辑:我也尝试将 !GetAtt PermissionSetAdmin.PermissionSetArn
替换为
!GetAtt PermissionSetAdmin.Arn
但后来得到了 Requested attribute Arn does not exist in schema for AWS::SSO::PermissionSet
。
编辑:我联系了 AWS 支持,内部团队正在修复 API 的逻辑,以使其正常工作,我应该注意https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-sso/issues/8
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)