3

我正在編輯我的CloudFormation模板,並且AWS突然告訴我需要CAPABILITY_NAMED_IAM。我很好奇哪個變化觸發了這個?我什麼時候需要CAPABILITY_NAMED_IAM

什麼是已命名的IAM資源?

之前我已經「名」我的資源,如

RoleName: !Sub '${PipelineName}-codebuild' 

我不要求增加這個功能,我想直到我添加

Parameters: 
    AppName: 
    Type: String 
    Description: Prefix for resources 

Resources: 
    LambdaRole: 
    Type: AWS::IAM::Role 
    Properties: 
     RoleName: !Ref AppName 

爲了我的SAM應用程序模板。但他們不是「一樣」,除了一個使用!Ref?或者也許其他一些改變觸發了這個?

作爲參考,我的CodePipeline堆

AWSTemplateFormatVersion : '2010-09-09' 
Description: 'Skynet stack for CodePipeline' 

Parameters: 
    PipelineName: 
    Type: String 
    Description: Pipeline Name (Lower case only, since S3 bucket names can only have lowercase) 
    Default: skynet-pipeline 
    GitHubOwner: 
    Type: String 
    Description: GitHub Owner 
    Default: 2359media 
    GitHubRepo: 
    Type: String 
    Description: GitHub Repo 
    Default: 'skynet' 
    GitHubBranch: 
    Type: String 
    Description: GitHub Branch 
    Default: master 
    GitHubToken: 
    Type: String 
    Description: GitHub Token 
    NoEcho: true 

Resources: 
    Pipeline: 
    Type: AWS::CodePipeline::Pipeline 
    Properties: 
     Name: !Ref PipelineName 
     RoleArn: !GetAtt [PipelineRole, Arn] 
     ArtifactStore: 
     Location: !Ref PipelineArtifactStore 
     Type: S3 
     DisableInboundStageTransitions: [] 
     Stages: 
     - Name: GitHubSource 
      Actions: 
      - Name: Source 
      ActionTypeId: 
       Category: Source 
       Owner: ThirdParty 
       Version: 1 
       Provider: GitHub 
      Configuration: 
       Owner: !Ref GitHubOwner 
       Repo: !Ref GitHubRepo 
       Branch: !Ref GitHubBranch 
       OAuthToken: !Ref GitHubToken 
      OutputArtifacts: 
       - Name: SourceCode 
     - Name: Build 
      Actions: 
      - Name: Lambda 
      InputArtifacts: 
       - Name: SourceCode 
      OutputArtifacts: 
       - Name: LambdaPackage 
      ActionTypeId: 
       Category: Build 
       Owner: AWS 
       Version: 1 
       Provider: CodeBuild 
      Configuration: 
       ProjectName: !Ref CodeBuildLambda 
     - Name: CreateChangeSet 
      Actions: 
      - Name: Lambda 
      InputArtifacts: 
       - Name: LambdaPackage 
      OutputArtifacts: 
       - Name: LambdaDeployment 
      ActionTypeId: 
       Category: Deploy 
       Owner: AWS 
       Version: 1 
       Provider: CloudFormation 
      Configuration: 
       ActionMode: CHANGE_SET_REPLACE 
       ChangeSetName: !Sub 
       - '${PipelineName}-lambda' 
       - {PipelineName: !Ref PipelineName} 
       RoleArn: !GetAtt [CloudFormationRole, Arn] 
       StackName: !Sub 
       - '${PipelineName}-lambda' 
       - {PipelineName: !Ref PipelineName} 
       TemplatePath: 'LambdaPackage::SkynetLambdaPackaged.yml' 
       Capabilities: CAPABILITY_NAMED_IAM 
       ParameterOverrides: !Sub '{"AppName": "${PipelineName}-lambda"}' 
     - Name: ExecuteChangeSet 
      Actions: 
      - Name: Lambda 
      ActionTypeId: 
       Category: Deploy 
       Owner: AWS 
       Version: 1 
       Provider: CloudFormation 
      Configuration: 
       ActionMode: CHANGE_SET_EXECUTE 
       ChangeSetName: !Sub 
       - '${PipelineName}-lambda' 
       - {PipelineName: !Ref PipelineName} 
       StackName: !Sub 
       - '${PipelineName}-lambda' 
       - {PipelineName: !Ref PipelineName} 

    CodeBuildLambda: 
    Type: AWS::CodeBuild::Project 
    Properties: 
     Name: !Sub '${PipelineName}-lambda' 
     Artifacts: 
     Type: CODEPIPELINE 
     Environment: 
     ComputeType: BUILD_GENERAL1_SMALL 
     Image: aws/codebuild/nodejs:7.0.0 
     Type: LINUX_CONTAINER 
     EnvironmentVariables: 
      - Name: S3_BUCKET 
      Value: !Ref PipelineArtifactStore 
     ServiceRole: !Ref CodeBuildRole 
     Source: 
     BuildSpec: 'lambda/buildspec.yml' 
     Type: CODEPIPELINE 

    PipelineArtifactStore: 
    Type: AWS::S3::Bucket 
    Properties: 
     BucketName: !Sub '${PipelineName}-artifacts' 
     VersioningConfiguration: 
     Status: Enabled 

    CodeBuildRole: 
    Type: AWS::IAM::Role 
    Properties: 
     RoleName: !Sub '${PipelineName}-codebuild' 
     AssumeRolePolicyDocument: 
     Version: '2012-10-17' 
     Statement: 
      Effect: Allow 
      Principal: 
      Service: codebuild.amazonaws.com 
      Action: sts:AssumeRole 
     Policies: 
     - PolicyName: !Sub '${PipelineName}-codebuild' 
      PolicyDocument: 
      Version: '2012-10-17' 
      Statement: 
       - Effect: Allow 
       Resource: 'arn:aws:logs:*:*:*' 
       Action: 
       - 'logs:CreateLogGroup' 
       - 'logs:CreateLogStream' 
       - 'logs:PutLogEvents' 
       - Effect: Allow 
       Resource: 
        - !Sub 'arn:aws:s3:::codepipeline-${AWS::Region}-*/*' 
        - !Sub 
        - '${PipelineArtifactStoreArn}/*' 
        - {PipelineArtifactStoreArn: !GetAtt [PipelineArtifactStore, Arn]} 
       Action: 
        - 's3:GetObject' 
        - 's3:GetObjectVersion' 
        - 's3:PutObject' 

    CloudFormationRole: 
    Type: AWS::IAM::Role 
    Properties: 
     RoleName: !Sub '${PipelineName}-cloudformation' 
     AssumeRolePolicyDocument: 
     Version: '2012-10-17' 
     Statement: 
     - Effect: Allow 
      Principal: 
      Service: cloudformation.amazonaws.com 
      Action: 
      - sts:AssumeRole 
     ManagedPolicyArns: 
     - 'arn:aws:iam::aws:policy/AWSLambdaExecute' 
     Policies: 
     - PolicyName: !Sub '${PipelineName}-cloudformation' 
      PolicyDocument: 
      Version: '2012-10-17' 
      Statement: 
       - Effect: Allow 
       Resource: '*' 
       Action: 
       - 's3:GetObject' 
       - 's3:GetObjectVersion' 
       - 's3:GetBucketVersioning' 
       - Effect: Allow 
       Resource: 'arn:aws:s3:::codepipeline*' 
       Action: 
       - 's3:PutObject' 
       - Effect: Allow 
       Resource: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*' 
       Action: 
       - 'lambda:*' 
       - Effect: Allow 
       Resource: !Sub 'arn:aws:apigateway:${AWS::Region}::*' 
       Action: 
       - 'apigateway:*' 
       - Effect: Allow 
       Resource: '*' 
       Action: 
       - 'lambda:CreateEventSourceMapping' 
       - 'lambda:DeleteEventSourceMapping' 
       - 'lambda:GetEventSourceMapping' 
       - Effect: Allow 
       Resource: '*' 
       Action: 
       - 'iam:GetRole' 
       - 'iam:CreateRole' 
       - 'iam:DeleteRole' 
       - 'iam:PassRole' 
       - 'iam:AttachRolePolicy' 
       - 'iam:DetachRolePolicy' 
       - 'iam:DeleteRolePolicy' 
       - 'iam:PutRolePolicy' 
       - Effect: Allow 
       Resource: '*' 
       Action: 
       - 'iam:PassRole' 
       - Effect: Allow 
       Resource: !Sub 'arn:aws:cloudformation:${AWS::Region}:aws:transform/Serverless-2016-10-31' 
       Action: 
       - 'cloudformation:CreateChangeSet' 

    PipelineRole: 
    Type: AWS::IAM::Role 
    Properties: 
     RoleName: !Sub '${PipelineName}-pipeline' 
     AssumeRolePolicyDocument: 
     Version: '2012-10-17' 
     Statement: 
     - Action: ['sts:AssumeRole'] 
      Effect: Allow 
      Principal: 
      Service: [codepipeline.amazonaws.com] 
     Path:/
     Policies: 
     - PolicyName: SkynetPipeline 
      PolicyDocument: 
      Version: '2012-10-17' 
      Statement: 
       - Action: 
       - 's3:GetObject' 
       - 's3:GetObjectVersion' 
       - 's3:GetBucketVersioning' 
       Effect: 'Allow' 
       Resource: '*' 
       - Action: 
       - 's3:PutObject' 
       Effect: 'Allow' 
       Resource: 
       - !GetAtt [PipelineArtifactStore, Arn] 
       - Action: 
       - 'codecommit:CancelUploadArchive' 
       - 'codecommit:GetBranch' 
       - 'codecommit:GetCommit' 
       - 'codecommit:GetUploadArchiveStatus' 
       - 'codecommit:UploadArchive' 
       Effect: 'Allow' 
       Resource: '*' 
       - Action: 
       - 'codedeploy:CreateDeployment' 
       - 'codedeploy:GetApplicationRevision' 
       - 'codedeploy:GetDeployment' 
       - 'codedeploy:GetDeploymentConfig' 
       - 'codedeploy:RegisterApplicationRevision' 
       Effect: 'Allow' 
       Resource: '*' 
       - Action: 
       - 'elasticbeanstalk:*' 
       - 'ec2:*' 
       - 'elasticloadbalancing:*' 
       - 'autoscaling:*' 
       - 'cloudwatch:*' 
       - 's3:*' 
       - 'sns:*' 
       - 'cloudformation:*' 
       - 'rds:*' 
       - 'sqs:*' 
       - 'ecs:*' 
       - 'iam:PassRole' 
       Effect: 'Allow' 
       Resource: '*' 
       - Action: 
       - 'lambda:InvokeFunction' 
       - 'lambda:ListFunctions' 
       Effect: 'Allow' 
       Resource: '*' 
       - Action: 
       - 'opsworks:CreateDeployment' 
       - 'opsworks:DescribeApps' 
       - 'opsworks:DescribeCommands' 
       - 'opsworks:DescribeDeployments' 
       - 'opsworks:DescribeInstances' 
       - 'opsworks:DescribeStacks' 
       - 'opsworks:UpdateApp' 
       - 'opsworks:UpdateStack' 
       Effect: 'Allow' 
       Resource: '*' 
       - Action: 
       - 'cloudformation:CreateStack' 
       - 'cloudformation:DeleteStack' 
       - 'cloudformation:DescribeStacks' 
       - 'cloudformation:UpdateStack' 
       - 'cloudformation:CreateChangeSet' 
       - 'cloudformation:DeleteChangeSet' 
       - 'cloudformation:DescribeChangeSet' 
       - 'cloudformation:ExecuteChangeSet' 
       - 'cloudformation:SetStackPolicy' 
       - 'cloudformation:ValidateTemplate' 
       - 'iam:PassRole' 
       Effect: 'Allow' 
       Resource: '*' 
       - Action: 
       - 'codebuild:BatchGetBuilds' 
       - 'codebuild:StartBuild' 
       Effect: 'Allow' 
       Resource: '*' 

SAM疊層(sam.yml)的部分最近

AWSTemplateFormatVersion : '2010-09-09' 
Transform: AWS::Serverless-2016-10-31 
Description: 'Skynet. AWS Management Assistant' 
Parameters: 
    AppName: 
    Type: String 
    Description: Prefix for resources 

Resources: 
    LambdaRole: 
    Type: AWS::IAM::Role 
    Properties: 
     RoleName: !Ref AppName 
     AssumeRolePolicyDocument: 
     Version: '2012-10-17' 
    Statement: 
    - Effect: Allow 
     Principal: 
     Service: 
      - lambda.amazonaws.com 
      - apigateway.amazonaws.com 
     Action: 
     - sts:AssumeRole 
    ManagedPolicyArns: 
    - 'arn:aws:iam::aws:policy/AmazonEC2FullAccess' 
    - 'arn:aws:iam::aws:policy/AWSLambdaFullAccess' 
    - 'arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess' 
    - 'arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess' 
    - 'arn:aws:iam::aws:policy/CloudWatchLogsFullAccess' 

回答

3

何時CAPABILITIES_IAM/CAPABILITIES_NAMED_IAM必需

根據CloudFormation CreateStack Parameters改變,其中一個是你需要的模板包括以下任一鄰:

AWS::IAM::AccessKey 
AWS::IAM::Group 
AWS::IAM::InstanceProfile 
AWS::IAM::Policy 
AWS::IAM::Role 
AWS::IAM::User 
AWS::IAM::UserToGroupAddition 

當使用的CAPABILITIES_NAMED_IAM代替CAPABILITIES_IAM

當你的任何IAM資源有一個自定義名稱,如RoleName然後CAPABILITIES_NAMED_IAM是必需的。

爲什麼需要這些?

Capabilites可以確保您意識到您正在創建IAM資源,這些資源將修改您帳戶的權限,並且您已根據需要審閱了這些資源及其權限。

+0

只要我命名我的IAM資源,我需要命名的IAM功能是否正確? –

+0

是的,只要CloudFormation堆棧具有已命名的IAM資源即可。 –

0

您已將AWS::IAM::Role類型的資源添加到您的資源部分。這告訴CloudFormation創建一個IAM角色。爲了創建IAM資源,您需要提供CAPABILITY_IAM或CAPABILITY_NAMED_IAM。這是您向CloudFormation的確認,您知道您正在創建會影響AWS賬戶權限的資源。

相關問題