AWS CloudFormation
User Guide (API Version 2010-05-15)
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

AWS Identity and Access Management 模板代码段

本部分包含 AWS Identity and Access Management 模板代码段。

重要

使用包含 IAM 资源的模板创建或更新堆栈时,您必须确认 IAM 功能的使用。有关使用模板中的 IAM 资源的更多信息,请参阅使用 AWS Identity and Access Management 控制访问

声明 IAM 用户资源

此代码段显示如何声明 AWS::IAM::User 资源以创建 IAM 用户。此用户使用路径 "/" 和密码为 myP@ssW0rd 的登录配置文件进行声明。

名为 giveaccesstoqueueonly 的策略文档授予用户在 Amazon SQS 队列资源 myqueue 上执行所有 Amazon SQS 操作的权限,并拒绝对所有其他 Amazon SQS 队列资源进行访问。Fn::GetAtt 函数将获取 AWS::SQS::Queue 资源 myqueue 的 Arn 属性。

用户中会添加名为 giveaccesstotopiconly 的策略文档以向用户授予对 Amazon SNS 主题资源 mytopic 执行所有 Amazon SNS 操作的权限,并拒绝对所有其他 Amazon SNS 资源的访问。Ref 函数将获取 AWS::SNS::Topic 资源 mytopic 的 ARN。

JSON

Copy
"myuser" : { "Type" : "AWS::IAM::User", "Properties" : { "Path" : "/", "LoginProfile" : { "Password" : "myP@ssW0rd" }, "Policies" : [ { "PolicyName" : "giveaccesstoqueueonly", "PolicyDocument" : { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "sqs:*" ], "Resource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ] }, { "Effect" : "Deny", "Action" : [ "sqs:*" ], "NotResource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ] } ] } }, { "PolicyName" : "giveaccesstotopiconly", "PolicyDocument" : { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "sns:*" ], "Resource" : [ { "Ref" : "mytopic" } ] }, { "Effect" : "Deny", "Action" : [ "sns:*" ], "NotResource" : [ { "Ref" : "mytopic" } ] } ] } } ] } }

YAML

Copy
myuser: Type: AWS::IAM::User Properties: Path: "/" LoginProfile: Password: myP@ssW0rd Policies: - PolicyName: giveaccesstoqueueonly PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sqs:* Resource: - !GetAtt myqueue.Arn - Effect: Deny Action: - sqs:* NotResource: - !GetAtt myqueue.Arn - PolicyName: giveaccesstotopiconly PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sns:* Resource: - !Ref mytopic - Effect: Deny Action: - sns:* NotResource: - !Ref mytopic

声明 IAM 访问密钥资源

此代码段显示的是 AWS::IAM::AccessKey 资源。myaccesskey 资源创建访问密钥并将其分配给在模板中声明为 AWS::IAM::User 资源的 IAM 用户。

JSON

Copy
"myaccesskey" : { "Type" : "AWS::IAM::AccessKey", "Properties" : { "UserName" : { "Ref" : "myuser" } } }

YAML

Copy
myaccesskey: Type: AWS::IAM::AccessKey Properties: UserName: !Ref myuser

您可使用 Fn::GetAtt 函数获取 AWS::IAM::AccessKey 资源的私有密钥。您只能在创建 AWS 访问密钥时获取其私有密钥。检索密钥的一种方式是将其放入 Output 值中。您可使用 Ref 函数获取访问密钥。以下 Output 值声明获取 myaccesskey 的访问密钥和私有密钥。

JSON

Copy
"AccessKeyformyaccesskey" : { "Value" : { "Ref" : "myaccesskey" } }, "SecretKeyformyaccesskey" : { "Value" : { "Fn::GetAtt" : [ "myaccesskey", "SecretAccessKey" ] } }

YAML

Copy
AccessKeyformyaccesskey: Value: !Ref myaccesskey SecretKeyformyaccesskey: Value: !GetAtt myaccesskey.SecretAccessKey

您还可以将 AWS 访问密钥和私有密钥传输给模板中定义的 EC2 实例或 Auto Scaling 组中。以下 AWS::EC2::Instance 声明使用 UserData 属性传递 myaccesskey 资源的访问密钥和私有密钥。

JSON

Copy
"myinstance" : { "Type" : "AWS::EC2::Instance", "Properties" : { "AvailabilityZone" : "us-east-1a", "ImageId" : "ami-20b65349", "UserData" : { "Fn::Base64" : { "Fn::Join" : [ "", [ "ACCESS_KEY=", { "Ref" : "myaccesskey" }, "&", "SECRET_KEY=", { "Fn::GetAtt" : [ "myaccesskey", "SecretAccessKey" ] } ] ] } } } }

YAML

Copy
myinstance: Type: AWS::EC2::Instance Properties: AvailabilityZone: "us-east-1a" ImageId: ami-20b65349 UserData: Fn::Base64: !Sub "ACCESS_KEY=${myaccesskey}&SECRET_KEY=${myaccesskey.SecretAccessKey}

声明 IAM 组资源

此代码段显示的是 AWS::IAM::Group 资源。该组有一个路径 ("/myapplication/"). 组中会添加一个名为 myapppolicy 的策略文档,以允许组用户对 Amazon SQS 队列资源 myqueue 执行所有 Amazon SQS 操作并拒绝对除 myqueue 之外的所有其他 Amazon SQS 资源的访问。

要分配一个策略给资源,IAM 需要该资源的 Amazon 资源名称 (ARN)。在此代码段中,Fn::GetAtt 函数将获取 AWS::SQS::Queue 资源队列的 ARN。

JSON

Copy
"mygroup" : { "Type" : "AWS::IAM::Group", "Properties" : { "Path" : "/myapplication/", "Policies" : [ { "PolicyName" : "myapppolicy", "PolicyDocument" : { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "sqs:*" ], "Resource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ] }, { "Effect" : "Deny", "Action" : [ "sqs:*" ], "NotResource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ] } ] } } ] } }

YAML

Copy
mygroup: Type: AWS::IAM::Group Properties: Path: "/myapplication/" Policies: - PolicyName: myapppolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sqs:* Resource: !GetAtt myqueue.Arn - Effect: Deny Action: - sqs:* NotResource: !GetAtt myqueue.Arn

添加用户到组中

AWS::IAM::UserToGroupAddition 资源会将用户添加到组。在以下代码段中,addUserToGroup 资源将以下用户添加到名为 myexistinggroup2 的现有组中:现有用户 existinguser1 和在模板中声明为 AWS::IAM::User 资源的用户 myuser

JSON

Copy
"addUserToGroup" : { "Type" : "AWS::IAM::UserToGroupAddition", "Properties" : { "GroupName" : "myexistinggroup2", "Users" : [ "existinguser1", { "Ref" : "myuser" } ] } }

YAML

Copy
addUserToGroup: Type: AWS::IAM::UserToGroupAddition Properties: GroupName: myexistinggroup2 Users: - existinguser1 - !Ref myuser

声明 IAM 策略

此代码段显示如何创建策略并使用名为 mypolicyAWS::IAM::Policy 资源将该策略应用于多个组。mypolicy 资源包含一个 PolicyDocument 属性,该属性允许对 S3 存储桶(由 ARN arn:aws:s3:::myAWSBucket 表示)中的对象执行 GetObjectPutObjectPutObjectAcl 操作。mypolicy 资源将策略应用于名为 myexistinggroup1 的现有组以及在模板中声明为 AWS::IAM::Group 资源的组 mygroup。此示例显示如何将策略应用于使用 Groups 属性的组;但您也可以使用 Users 属性将策略文档添加到用户列表。

重要

AWS::IAM::Policy 资源中声明的 Amazon SNS 策略操作与在 AWS::SNS::TopicPolicy 资源中声明的 Amazon SNS 主题策略操作不同。例如,策略操作 sns:Unsubscribesns:SetSubscriptionAttributesAWS::IAM::Policy 资源有效,但对 AWS::SNS::TopicPolicy 资源无效。有关可与 AWS::IAM::Policy 资源共同使用的有效 Amazon SNS 策略操作的更多信息,请参考Amazon Simple Notification Service 开发人员指南中的 Amazon SNS 策略的特殊信息

JSON

Copy
"mypolicy" : { "Type" : "AWS::IAM::Policy", "Properties" : { "PolicyName" : "mygrouppolicy", "PolicyDocument" : { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "s3:GetObject" , "s3:PutObject" , "s3:PutObjectAcl" ], "Resource" : "arn:aws:s3:::myAWSBucket/*" } ] }, "Groups" : [ "myexistinggroup1", { "Ref" : "mygroup" } ] } }

YAML

Copy
mypolicy: Type: AWS::IAM::Policy Properties: PolicyName: mygrouppolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:GetObject - s3:PutObject - s3:PutObjectAcl Resource: arn:aws:s3:::myAWSBucket/* Groups: - myexistinggroup1 - !Ref mygroup

声明 Amazon S3 存储段策略

此代码段显示如何创建策略并将其应用于使用 AWS::S3::BucketPolicy 资源的 Amazon S3 存储段。mybucketpolicy 资源将声明一个策略文档,该策略文档允许 user1 IAM 用户对应用该策略的 S3 存储桶中的所有对象执行 GetObject 操作。在此代码段中,Fn::GetAtt 函数将获取 user1 资源的 ARN。mybucketpolicy 资源将此策略应用于 AWS::S3::Bucket 资源 mybucket。Refmybucket function 获取 资源的存储段名称。

JSON

Copy
"mybucketpolicy" : { "Type" : "AWS::S3::BucketPolicy", "Properties" : { "PolicyDocument" : { "Id" : "MyPolicy", "Version": "2012-10-17", "Statement" : [ { "Sid" : "ReadAccess", "Action" : [ "s3:GetObject" ], "Effect" : "Allow", "Resource" : { "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "mybucket" } , "/*" ] ] }, "Principal" : { "AWS" : { "Fn::GetAtt" : [ "user1", "Arn" ] } } } ] }, "Bucket" : { "Ref" : "mybucket" } } }

YAML

Copy
mybucketpolicy: Type: AWS::S3::BucketPolicy Properties: PolicyDocument: Id: MyPolicy Version: '2012-10-17' Statement: - Sid: ReadAccess Action: - s3:GetObject Effect: Allow Resource: !Sub "arn:aws:s3:::${mybucket}/*" Principal: AWS: !GetAtt user1.Arn Bucket: !Ref mybucket

声明 Amazon SNS 主题策略

此代码段显示如何创建策略并将其应用于使用 AWS::SNS::TopicPolicy 资源的 Amazon SNS 主题。mysnspolicy 资源包含一个 PolicyDocument 属性,该属性允许 AWS::IAM::User 资源 myuserAWS::SNS::Topic 资源 mytopic 执行 Publish 操作。在此代码段中,Fn::GetAtt 函数将获取 myuser 资源的 ARN,而 Ref 函数将获取 mytopic 资源的 ARN。

重要

AWS::IAM::Policy 资源中声明的 Amazon SNS 策略操作与在 AWS::SNS::TopicPolicy 资源中声明的 Amazon SNS 主题策略操作不同。例如,策略操作 sns:Unsubscribesns:SetSubscriptionAttributesAWS::IAM::Policy 资源有效,但对 AWS::SNS::TopicPolicy 资源无效。有关可与 AWS::IAM::Policy 资源共同使用的有效 Amazon SNS 策略操作的更多信息,请参考Amazon Simple Notification Service 开发人员指南中的 Amazon SNS 策略的特殊信息

JSON

Copy
"mysnspolicy" : { "Type" : "AWS::SNS::TopicPolicy", "Properties" : { "PolicyDocument" : { "Id" : "MyTopicPolicy", "Version" : "2012-10-17", "Statement" : [ { "Sid" : "My-statement-id", "Effect" : "Allow", "Principal" : { "AWS" : { "Fn::GetAtt" : [ "myuser", "Arn" ] } }, "Action" : "sns:Publish", "Resource" : "*" } ] }, "Topics" : [ { "Ref" : "mytopic" } ] } }

YAML

Copy
mysnspolicy: Type: AWS::SNS::TopicPolicy Properties: PolicyDocument: Id: MyTopicPolicy Version: '2012-10-17' Statement: - Sid: My-statement-id Effect: Allow Principal: AWS: !GetAtt myuser.Arn Action: sns:Publish Resource: "*" Topics: - !Ref mytopic

声明 Amazon SQS 策略

此代码段显示如何创建策略并将其应用于使用 AWS::SQS::QueuePolicy 资源的 Amazon SQS 队列。PolicyDocument 属性可使现有用户 myapp(由其 ARN 指定)对现有队列(按其 URL 指定)和 AWS::SQS::Queue 资源 myqueue 执行 SendMessage 操作。Ref 函数获取 资源的 URL。myqueue

JSON

Copy
"mysqspolicy" : { "Type" : "AWS::SQS::QueuePolicy", "Properties" : { "PolicyDocument" : { "Id" : "MyQueuePolicy", "Version" : "2012-10-17", "Statement" : [ { "Sid" : "Allow-User-SendMessage", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::123456789012:user/myapp" }, "Action" : [ "sqs:SendMessage" ], "Resource" : "*" } ] }, "Queues" : [ "https://sqs.us-east-2.amazonaws.com/123456789012/myexistingqueue", { "Ref" : "myqueue" } ] } }

YAML

Copy
mysqspolicy: Type: AWS::SQS::QueuePolicy Properties: PolicyDocument: Id: MyQueuePolicy Version: '2012-10-17' Statement: - Sid: Allow-User-SendMessage Effect: Allow Principal: AWS: arn:aws:iam::123456789012:user/myapp Action: - sqs:SendMessage Resource: "*" Queues: - https://sqs.us-east-2.amazonaws.com/123456789012/myexistingqueue - !Ref myqueue

IAM 角色模板示例

本部分提供 EC2 实例之 IAM 角色的 CloudFormation 模板示例。

有关 IAM 角色的更多信息,请参阅 AWS Identity and Access Management User Guide 中的使用角色

带 EC2 的 IAM 角色

在此示例中,实例配置文件由 EC2 实例的 IamInstanceProfile 属性引用。实例策略和角色策略都引用 AWS::IAM::Role

JSON

Copy
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "myEC2Instance": { "Type": "AWS::EC2::Instance", "Version": "2009-05-15", "Properties": { "ImageId": "ami-205fba49", "InstanceType": "m1.small", "Monitoring": "true", "DisableApiTermination": "false", "IamInstanceProfile": { "Ref": "RootInstanceProfile" } } }, "RootRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/" } }, "RolePolicies": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "root", "PolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }, "Roles": [ { "Ref": "RootRole" } ] } }, "RootInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [ { "Ref": "RootRole" } ] } } } }

YAML

Copy
AWSTemplateFormatVersion: '2010-09-09' Resources: myEC2Instance: Type: AWS::EC2::Instance Version: '2009-05-15' Properties: ImageId: ami-205fba49 InstanceType: m1.small Monitoring: 'true' DisableApiTermination: 'false' IamInstanceProfile: !Ref RootInstanceProfile RootRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: "/" RolePolicies: Type: AWS::IAM::Policy Properties: PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: "*" Resource: "*" Roles: - !Ref RootRole RootInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - !Ref RootRole

带 AutoScaling 组的 IAM 角色

在此示例中,实例配置文件由 AutoScaling 组启动配置的 IamInstanceProfile 属性引用。

JSON

Copy
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "myLCOne": { "Type": "AWS::AutoScaling::LaunchConfiguration", "Version": "2009-05-15", "Properties": { "ImageId": "ami-205fba49", "InstanceType": "m1.small", "InstanceMonitoring": "true", "IamInstanceProfile": { "Ref": "RootInstanceProfile" } } }, "myASGrpOne": { "Type": "AWS::AutoScaling::AutoScalingGroup", "Version": "2009-05-15", "Properties": { "AvailabilityZones": [ "us-east-1a" ], "LaunchConfigurationName": { "Ref": "myLCOne" }, "MinSize": "0", "MaxSize": "0", "HealthCheckType": "EC2", "HealthCheckGracePeriod": "120" } }, "RootRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/" } }, "RolePolicies": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "root", "PolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }, "Roles": [ { "Ref": "RootRole" } ] } }, "RootInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [ { "Ref": "RootRole" } ] } } } }

YAML

Copy
AWSTemplateFormatVersion: '2010-09-09' Resources: myLCOne: Type: AWS::AutoScaling::LaunchConfiguration Version: '2009-05-15' Properties: ImageId: ami-205fba49 InstanceType: m1.small InstanceMonitoring: 'true' IamInstanceProfile: !Ref RootInstanceProfile myASGrpOne: Type: AWS::AutoScaling::AutoScalingGroup Version: '2009-05-15' Properties: AvailabilityZones: - "us-east-1a" LaunchConfigurationName: !Ref myLCOne MinSize: '0' MaxSize: '0' HealthCheckType: EC2 HealthCheckGracePeriod: '120' RootRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: "/" RolePolicies: Type: AWS::IAM::Policy Properties: PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: "*" Resource: "*" Roles: - !Ref RootRole RootInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - !Ref RootRole