1. 首页
  2. 问答
  3. 更改CodeStar项目中CloudFormation模板中Lambda的IAM角色?

更改CodeStar项目中CloudFormation模板中Lambda的IAM角色?

2017-04-24 79 views
2

如何更改AWS CodeStar项目的CloudFormation模板中的Lambda函数的IAM角色?更改CodeStar项目中CloudFormation模板中Lambda的IAM角色?

我已经创建了AWS CodeStar项目(Web服务,基于Lambda,Node.js)。默认情况下,AWS CodeStar生成以下CloudFormation:

AWSTemplateFormatVersion: 2010-09-09 
Transform: 
- AWS::Serverless-2016-10-31 
- AWS::CodeStar 

Parameters: 
    ProjectId: 
    Type: String 
    Description: AWS CodeStar projectID used to associate new resources to team members 

Resources: 
    HelloWorld: 
    Type: AWS::Serverless::Function 
    Properties: 
     Handler: index.handler 
     Runtime: nodejs4.3 
     Role: 
     Fn::ImportValue: 
      !Join ['-', [!Ref 'ProjectId', !Ref 'AWS::Region', 'LambdaTrustRole']] 
     Events: 
     GetEvent: 
      Type: Api 
      Properties: 
      Path:/
      Method: get 
     PostEvent: 
      Type: Api 
      Properties: 
      Path:/
      Method: post

现在,我想换成我自己的角色这个角色,因为我需要为lambda函数访问其他AWS资源补充政策。同时我也删除API网关,因为我将添加一个调度后触发LAMBDA调用:

AWSTemplateFormatVersion: 2010-09-09 
Transform: 
- AWS::Serverless-2016-10-31 
- AWS::CodeStar 

Parameters: 
    ProjectId: 
    Type: String 
    Description: AWS CodeStar projectID used to associate new resources to team members 

Resources: 
    HelloWorld: 
    Type: AWS::Serverless::Function 
    Properties: 
     Handler: index.handler 
     Runtime: nodejs4.3 
     Role: !Ref HelloWorldLambdaRole 

    HelloWorldLambdaRole: 
    Type: AWS::IAM::Role 
    Properties: 
     AssumeRolePolicyDocument: 
     Version: 2012-10-17 
     Statement: 
      - Effect: Allow 
      Principal: 
       Service: 
       - lambda.amazonaws.com 
      Action: 
       - sts:AssumeRole 
     ManagedPolicyArns: 
     - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

然而,当我承诺,推动这些变化,AWS CodePipeline无法更新CloudFormation模板:

CREATE_FAILED AWS::IAM::Role EchoLambdaRole API: iam:CreateRole User: arn:aws:sts::[accountId]:assumed-role/CodeStarWorker-[projectId]-CloudFormation/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::[accountId]:role/awscodestar-[projectId]-lambda-HelloWorldLambdaRole-ABCDEF123456

在此基础上的反馈,我的结论是CodeStarWorker-[projectId]-CloudFormation/AWSCloudFormation角色无权创建IAM角色。然而,这个角色对我的CloudFormation模板是隐藏的,而且我的理解是CodeStar自动设置的。作为AWS账户管理员,我只需编辑相关策略,但恕我直言,这不是解决此问题的方法。

编辑:

我已经检查IAM配置在我的帐户。一个aws-codestar-service-role已创建,它与AWSCodeStarServiceRole政策具有以下语句(其它报表中,见链接了解详细信息)相关:

{ 
    "Sid": "ProjectWorkerRoles", 
    "Effect": "Allow", 
    "Action": [ 
    "iam:AttachRolePolicy", 
    "iam:CreateRole", 
    "iam:DeleteRole", 
    "iam:DeleteRolePolicy", 
    "iam:DetachRolePolicy", 
    "iam:GetRole", 
    "iam:PassRole", 
    "iam:PutRolePolicy", 
    "iam:SetDefaultPolicyVersion", 
    "iam:CreatePolicy", 
    "iam:DeletePolicy", 
    "iam:AddRoleToInstanceProfile", 
    "iam:CreateInstanceProfile", 
    "iam:DeleteInstanceProfile", 
    "iam:RemoveRoleFromInstanceProfile" 
    ], 
    "Resource": [ 
    "arn:aws:iam::*:role/CodeStarWorker*", 
    "arn:aws:iam::*:policy/CodeStarWorker*", 
    "arn:aws:iam::*:instance-profile/awscodestar-*" 
    ] 
},

也有CodeStarWorker-[projectId]-CloudFormation的作用,有一个名为CodeStarWorkerCloudFormationRolePolicy内嵌政策具有以下配置:

{ 
    "Statement": [ 
     { 
      "Action": [ 
       "s3:PutObject", 
       "s3:GetObject", 
       "s3:GetObjectVersion" 
      ], 
      "Resource": [ 
       "arn:aws:s3:::aws-chargeodestar-eu-west-1-[accountId]-[projectId]-pipeline", 
       "arn:aws:s3:::aws-codestar-eu-west-1-[accountId]-[projectId]-pipeline/*" 
      ], 
      "Effect": "Allow" 
     }, 
     { 
      "Action": [ 
       "codestar:SyncResources", 
       "lambda:CreateFunction", 
       "lambda:DeleteFunction", 
       "lambda:AddPermission", 
       "lambda:UpdateFunction", 
       "lambda:UpdateFunctionCode", 
       "lambda:GetFunctionConfiguration", 
       "lambda:UpdateFunctionConfiguration", 
       "lambda:RemovePermission", 
       "apigateway:*", 
       "dynamodb:CreateTable", 
       "dynamodb:DeleteTable", 
       "dynamodb:DescribeTable", 
       "kinesis:CreateStream", 
       "kinesis:DeleteStream", 
       "kinesis:DescribeStream", 
       "sns:CreateTopic", 
       "sns:DeleteTopic", 
       "sns:ListTopics", 
       "sns:GetTopicAttributes", 
       "sns:SetTopicAttributes", 
       "s3:CreateBucket", 
       "s3:DeleteBucket" 
      ], 
      "Resource": "*", 
      "Effect": "Allow" 
     }, 
     { 
      "Action": [ 
       "iam:PassRole" 
      ], 
      "Resource": [ 
       "arn:aws:iam::[accountId]:role/CodeStarWorker-[projectId]-Lambda" 
      ], 
      "Effect": "Allow" 
     }, 
     { 
      "Action": [ 
       "cloudformation:CreateChangeSet" 
      ], 
      "Resource": [ 
       "arn:aws:cloudformation:eu-west-1:aws:transform/Serverless-2016-10-31", 
       "arn:aws:cloudformation:eu-west-1:aws:transform/CodeStar" 
      ], 
      "Effect": "Allow" 
     } 
    ] 
}

自从我创建的项目中,CodeStar_[projectId]_Owner政策已经直接连接到我的用户。

编辑2:

尽管我自己的建议,我试图通过添加以下政策声明更新CodeStarWorker-[projectId]-CloudFormation作用的内联CodeStarWorkerCloudFormationRolePolicy

{ 
    "Action": [ 
     "iam:AttachRolePolicy", 
     "iam:CreateRole", 
     "iam:DeleteRole", 
     "iam:DetachRolePolicy", 
     "iam:GetRole", 
     "iam:PassRole" 
    ], 
    "Resource": [ 
     "arn:aws:iam::699602212296:role/awscodestar-[projectId]-*" 
    ], 
    "Effect": "Allow" 
}

然而,这引起了CloudFormation中出现以下错误:

CREATE_FAILED AWS::CodeStar::SyncResources SyncResources123456789012 com.amazon.coral.service.InternalFailure

来源

2017-04-24 matsev

回答

1

CodeStar服务使用名为aws-codestar-service-role的服务角色,并使用以下语句。如果允许项目的动态工作角色继承IAM角色创建操作,您可能需要修改此服务角色。否则,CodeStar可能会覆盖您的更改。

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Sid": "ProjectStack", 
     "Effect": "Allow", 
     "Action": [ 
     "cloudformation:*Stack*", 
     "cloudformation:GetTemplate" 
     ], 
     "Resource": [ 
     "arn:aws:cloudformation:*:*:stack/awscodestar-*", 
     "arn:aws:cloudformation:*:*:stack/awseb-*" 
     ] 
    }, 
    { 
     "Sid": "ProjectStackTemplate", 
     "Effect": "Allow", 
     "Action": [ 
     "cloudformation:GetTemplateSummary", 
     "cloudformation:DescribeChangeSet" 
     ], 
     "Resource": "*" 
    }, 
    { 
     "Sid": "ProjectQuickstarts", 
     "Effect": "Allow", 
     "Action": [ 
     "s3:GetObject" 
     ], 
     "Resource": [ 
     "arn:aws:s3:::awscodestar-*/*" 
     ] 
    }, 
    { 
     "Sid": "ProjectS3Buckets", 
     "Effect": "Allow", 
     "Action": [ 
     "s3:*" 
     ], 
     "Resource": [ 
     "arn:aws:s3:::aws-codestar-*", 
     "arn:aws:s3:::aws-codestar-*/*", 
     "arn:aws:s3:::elasticbeanstalk-*", 
     "arn:aws:s3:::elasticbeanstalk-*/*" 
     ] 
    }, 
    { 
     "Sid": "ProjectServices", 
     "Effect": "Allow", 
     "Action": [ 
     "codestar:*Project", 
     "codestar:*Resource*", 
     "codestar:List*", 
     "codestar:Describe*", 
     "codestar:Get*", 
     "codestar:AssociateTeamMember", 
     "codecommit:*", 
     "codepipeline:*", 
     "codedeploy:*", 
     "codebuild:*", 
     "ec2:RunInstances", 
     "autoscaling:*", 
     "cloudwatch:Put*", 
     "ec2:*", 
     "elasticbeanstalk:*", 
     "elasticloadbalancing:*", 
     "iam:ListRoles", 
     "logs:*", 
     "sns:*" 
     ], 
     "Resource": "*" 
    }, 
    { 
     "Sid": "ProjectWorkerRoles", 
     "Effect": "Allow", 
     "Action": [ 
     "iam:AttachRolePolicy", 
     "iam:CreateRole", 
     "iam:DeleteRole", 
     "iam:DeleteRolePolicy", 
     "iam:DetachRolePolicy", 
     "iam:GetRole", 
     "iam:PassRole", 
     "iam:PutRolePolicy", 
     "iam:SetDefaultPolicyVersion", 
     "iam:CreatePolicy", 
     "iam:DeletePolicy", 
     "iam:AddRoleToInstanceProfile", 
     "iam:CreateInstanceProfile", 
     "iam:DeleteInstanceProfile", 
     "iam:RemoveRoleFromInstanceProfile" 
     ], 
     "Resource": [ 
     "arn:aws:iam::*:role/CodeStarWorker*", 
     "arn:aws:iam::*:policy/CodeStarWorker*", 
     "arn:aws:iam::*:instance-profile/awscodestar-*" 
     ] 
    }, 
    { 
     "Sid": "ProjectTeamMembers", 
     "Effect": "Allow", 
     "Action": [ 
     "iam:AttachUserPolicy", 
     "iam:DetachUserPolicy" 
     ], 
     "Resource": "*", 
     "Condition": { 
     "ArnEquals": { 
      "iam:PolicyArn": [ 
      "arn:aws:iam::*:policy/CodeStar_*" 
      ] 
     } 
     } 
    }, 
    { 
     "Sid": "ProjectRoles", 
     "Effect": "Allow", 
     "Action": [ 
     "iam:CreatePolicy", 
     "iam:DeletePolicy", 
     "iam:CreatePolicyVersion", 
     "iam:DeletePolicyVersion", 
     "iam:ListEntitiesForPolicy", 
     "iam:ListPolicyVersions" 
     ], 
     "Resource": [ 
     "arn:aws:iam::*:policy/CodeStar_*" 
     ] 
    }, 
    { 
     "Sid": "InspectServiceRole", 
     "Effect": "Allow", 
     "Action": [ 
     "iam:ListAttachedRolePolicies" 
     ], 
     "Resource": [ 
     "arn:aws:iam::*:role/aws-codestar-service-role" 
     ] 
    } 
    ] 
}

另见http://docs.aws.amazon.com/codestar/latest/userguide/access-permissions.html但正如你可能已经猜到了,这是比较新的和文档不涉及您的使用案例。

来源

2017-04-24 16:08:46 NHol

+0

请您详细说明一下吗?我不明白我应该如何修改服务角色?我确实有一个'aws-codestar-service-role'(参见我的编辑),并且已经验证它具有作为“ProjectWorkerRoles”Sid的一部分的'iam:CreateRole'(和'iam:DeleteRole')如你的答案中所建议的那样。 – matsev

+0

Hi matsev,看起来像ProjectWorker由CodeStar创建的IAM角色不会继承任何创建或删除角色操作,因为该策略已经具有PassRole但未通过,所以我上面的建议无济于事。根据您的编辑,我建议使用AWS提出支持凭单(对不起)。 – NHol

相关问题

 相关问题