本文介绍了未授权CloudFormation执行:资源上的iam:PassRole的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

这是我在Cloud9中 template.yml 的代码的一部分:

This is part of the code of my template.yml in Cloud9:

Type: 'AWS::Serverless::Function'
Properties:
  Handler: index.handler
  Runtime: nodejs6.10
  CodeUri: .
  Description: Updates records in the AppConfig table.
  MemorySize: 128
  Timeout: 3
  Role: 'arn:aws:iam::579913947261:role/FnRole'
  Events:
    Api1:
      Type: Api
      Properties:

当我在Cloud9中提交更改时,在CodePipeline上部署失败尝试 ExecuteChangeSet 进行部署阶段。我收到此错误:

When I commit the changes in Cloud9, deployment fails at CodePipeline Deploy stage while trying ExecuteChangeSet. I get this error:

有人可以帮助吗?

推荐答案

来自该日志可以告诉您需要为堆栈的CloudFormation角色分配什么策略( iam:PassRole )( CodeStarWorker-AppConfig-CloudFormation )。

From this log you can tell what policy (iam:PassRole) needs to be assigned to the CloudFormation role for your stack (CodeStarWorker-AppConfig-CloudFormation).

您应该:


  • 开始 IAM>角色

  • 搜索类型 CodeStarWorker-AppConfig-CloudFormation

  • 打开该角色并转到权限

  • 找到 CodeStarWorkerCloudFormationRolePolicy ,将其展开,请转到编辑策略

  • 在此部分的资源下方,添加您的角色的ARN( arn:aws: iam :: 579913947261:role / FnRole ),如果您没有该部分,则只需复制并粘贴该部分,但是在资源下使用您的ARN

  • Go IAM > Roles
  • Type in search CodeStarWorker-AppConfig-CloudFormation
  • Open that role and go to Permissions
  • Find CodeStarWorkerCloudFormationRolePolicy, expand it, go Edit policy
  • In this following section under resources add ARN of your role (arn:aws:iam::579913947261:role/FnRole), if you don't have that section just copy and paste this, but under Resources use yours ARNs.

政策:

{
    "Action": [
        "iam:PassRole"
    ],
    "Resource": [
        "arn:aws:iam::156478935478:role/CodeStarWorker-AppConfig-Lambda",
        "arn:aws:iam::579913947261:role/FnRole"
    ],
    "Effect": "Allow"
}

如果您想将该权限分配给所有资源(资源: * )在下面的以下部分中找到操作会添加您要分配的权限:

If you want to assign that permission to all resources ("Resource": "*") find this following section and above under actions add the permission you want to assign:

"Resource": "*",
"Effect": "Allow"

您可以将其应用于要分配给资源的CloudFormation的所有其他权限。

You can do apply this for all others permissions you want to assign to CloudFormation for your resources.

这篇关于未授权CloudFormation执行:资源上的iam:PassRole的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-26 12:52