Amazon Web Services Bootcamp
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

AWS CloudFormation

To create a role, we need to use the AWS::IAM::Role type as we've done in the following code:

"AmazonS3FullAccessRole": {
   "Type": "AWS::IAM::Role",
   "Properties": {
     "AssumeRolePolicyDocument": {
       "Version": "2012-10-17",
       "Statement": [{
         "Effect": "Allow",
         "Principal": {
           "Service": ["ec2.amazonaws.com"]
         },
         "Action": ["sts:AssumeRole"]
       }]
     },
     "Path": "/",
     "Policies": [{
       "PolicyName": "S3FullAccessOnMyBucket2",
       "PolicyDocument": {
         "Version": "2012-10-17",
         "Statement": [{
           "Effect": "Allow",
           "Action": [
             "s3:*"
           ],
           "Resource": "arn:aws:s3:::my-bucket-2"
         }]
       }
     }],
     "ManagedPolicyArns": [{
       "Ref": "AmazonS3FullAccess"
     }],
     "RoleName": "AmazonS3FullAccessRole"
   }
 }

The preceding CloudFormation script will create a role, which has access to the S3 bucket my-bucket-2, and this role can only be assumed from EC2 instances.

上一章目录下一章