Q&ACDKからCFnテンプレートを作成してS3バケットにアップロードしていて、LambdaからS3のテンプレートを指定して、Cfnスタックを作成して、IAMポリシーを作成するようにします。
IAMポリシーの中で指定している{accountId}にLambdaからパラメータで渡した値を入れたいのですが、
The policy failed legacy parsing (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 4c8c12b2-2bdc-4d80-a282-03bf0cc04270; Proxy: null)
というエラーになります。
CDKをどう修正したらいいでしょうか?
CDKとCFnテンプレートとLambdaは下記になります。
CDK
Python
1from constructs import Construct 2from aws_cdk import ( 3 Duration, 4 ScopedAws, 5 Stack, 6 CfnParameter, 7 aws_iam as iam, 8) 9 10 11class SampleStack(Stack): 12 13 def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: 14 super().__init__(scope, construct_id, **kwargs) 15 accountId = CfnParameter(self, "accountId") 16 cfn_managed_policy = iam.CfnManagedPolicy(self, "MyCfnManagedPolicy", 17 policy_document={ 18 "Version": "2012-10-17", 19 "Statement": [ 20 { 21 "Condition": { 22 "StringEquals": { 23 "iam:PermissionsBoundary": "arn:aws:iam::{accountId}:policy/iam-create" 24 } 25 }, 26 "Action": [ 27 "iam:CreateUser", 28 "iam:DeleteUserPolicy", 29 "iam:UpdateUser", 30 "iam:AttachUserPolicy", 31 "iam:DetachUserPolicy", 32 "iam:PutUserPolicy", 33 "iam:PutUserPermissionsBoundary" 34 ], 35 "Resource": "*", 36 "Effect": "Allow" 37 }, 38 { 39 "Action": [ 40 "iam:Get*", 41 "iam:List*", 42 "iam:DeleteUser", 43 "iam:*Group*", 44 "iam:CreatePolicy", 45 "iam:CreateLoginProfile", 46 "iam:CreateAccessKey", 47 "iam:DeletePolicy", 48 "iam:DeletePolicyVersion", 49 "iam:DeleteLoginProfile", 50 "iam:DeleteAccessKey", 51 "iam:SetDefaultPolicyVersion", 52 "iam:SimulatePrincipalPolicy", 53 "iam:SimulateCustomPolicy" 54 ], 55 "Resource": "*", 56 "Effect": "Allow" 57 }, 58 { 59 "Action": [ 60 "iam:CreatePolicyVersion", 61 "iam:DeletePolicy", 62 "iam:DeletePolicyVersion", 63 "iam:DeleteUserPermissionsBoundary", 64 "iam:SetDefaultPolicyVersion" 65 ], 66 "Resource": [ 67 "arn:aws:iam::{accountId}:policy/iam-create" 68 ], 69 "Effect": "Deny" 70 }, 71 { 72 "Effect": "Deny", 73 "Action": "s3:*", 74 "Resource": "*" 75 } 76 ] 77 }, 78 managed_policy_name="managedPolicyName" 79 )
Lambda
Python
1response = cfn_client.create_stack( 2 StackName=stack_name, 3 TemplateURL=template_url, 4 Parameters=[ 5 { 6 'ParameterKey': 'accountId', 7 'ParameterValue': event.get('account_id'), 8 # 'UsePreviousValue': True|False, 9 # 'ResolvedValue': 'string' 10 }, 11 ], 12 Capabilities=[ 13 'CAPABILITY_NAMED_IAM' 14 ] 15 ) 16
CFnテンプレート(一部抜粋)
YAML
1Parameters: 2 accountId: 3 Type: String 4 BootstrapVersion: 5 Type: AWS::SSM::Parameter::Value<String> 6 Default: /cdk-bootstrap/hnb659fds/version 7 Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip] 8Resources: 9 MyCfnManagedPolicy: 10 Type: AWS::IAM::ManagedPolicy 11 Properties: 12 PolicyDocument: 13 Version: "2012-10-17" 14 Statement: 15 - Condition: 16 StringEquals: 17 iam:PermissionsBoundary: arn:aws:iam::{accountId}:policy/iam-create 18 Action: 19 - iam:CreateUser 20 - iam:DeleteUserPolicy 21 - iam:UpdateUser 22 - iam:AttachUserPolicy 23 - iam:DetachUserPolicy 24 - iam:PutUserPolicy 25 - iam:PutUserPermissionsBoundary 26 Resource: "*" 27 Effect: Allow 28 - Action: 29 - iam:Get* 30 - iam:List* 31 - iam:DeleteUser 32 - iam:*Group* 33 - iam:CreatePolicy 34 - iam:CreateLoginProfile 35 - iam:CreateAccessKey 36 - iam:DeletePolicy 37 - iam:DeletePolicyVersion 38 - iam:DeleteLoginProfile 39 - iam:DeleteAccessKey 40 - iam:SetDefaultPolicyVersion 41 - iam:SimulatePrincipalPolicy 42 - iam:SimulateCustomPolicy 43 Resource: "*" 44 Effect: Allow 45 - Action: 46 - iam:CreatePolicyVersion 47 - iam:DeletePolicy 48 - iam:DeletePolicyVersion 49 - iam:DeleteUserPermissionsBoundary 50 - iam:SetDefaultPolicyVersion 51 Resource: 52 - arn:aws:iam::{accountId}:policy/iam-create 53 54 55
追記
CFnテンプレートを下記のようにしたらうまく動作することを確認しましたが、 !Sub はどのようにCDKで書けるでしょうか?
CFnテンプレート(一部抜粋)
YAML
1Parameters: 2 accountId: 3 Type: String 4 BootstrapVersion: 5 Type: AWS::SSM::Parameter::Value<String> 6 Default: /cdk-bootstrap/hnb659fds/version 7 Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip] 8Resources: 9 MyCfnManagedPolicy: 10 Type: AWS::IAM::ManagedPolicy 11 Properties: 12 PolicyDocument: 13 Version: "2012-10-17" 14 Statement: 15 - Condition: 16 StringEquals: 17 iam:PermissionsBoundary: !Sub arn:aws:iam::${accountId}:policy/iam-create 18 Action: 19 - iam:CreateUser 20 - iam:DeleteUserPolicy 21 - iam:UpdateUser 22 - iam:AttachUserPolicy 23 - iam:DetachUserPolicy 24 - iam:PutUserPolicy 25 - iam:PutUserPermissionsBoundary 26 Resource: "*" 27 Effect: Allow 28 - Action: 29 - iam:Get* 30 - iam:List* 31 - iam:DeleteUser 32 - iam:*Group* 33 - iam:CreatePolicy 34 - iam:CreateLoginProfile 35 - iam:CreateAccessKey 36 - iam:DeletePolicy 37 - iam:DeletePolicyVersion 38 - iam:DeleteLoginProfile 39 - iam:DeleteAccessKey 40 - iam:SetDefaultPolicyVersion 41 - iam:SimulatePrincipalPolicy 42 - iam:SimulateCustomPolicy 43 Resource: "*" 44 Effect: Allow 45 - Action: 46 - iam:CreatePolicyVersion 47 - iam:DeletePolicy 48 - iam:DeletePolicyVersion 49 - iam:DeleteUserPermissionsBoundary 50 - iam:SetDefaultPolicyVersion 51 Resource: 52 - !Sub arn:aws:iam::${accountId}:policy/iam-create 53 54 55
回答1件
0
自己解決
自己解決しました。
Python
1"iam:PermissionsBoundary": { 2 "Fn::Sub": "arn:aws:iam::${AccountId}:policy/managedPolicyName" 3 }
投稿2022/10/05 06:34
総合スコア65
あなたの回答
tips
プレビュー
下記のような回答は推奨されていません。
このような回答には修正を依頼しましょう。
また依頼した内容が修正された場合は、修正依頼を取り消すようにしましょう。