无法将资源添加到CloudFormation模板

问题描述 投票:0回答:1

我有一个 CloudFormation 模板。问题区域是最后一个资源语句,但我不明白为什么。

AWSTemplateFormatVersion: "2010-09-09"
Description: CloudFormation Template for Amazon Cognito

Resources:

  DummyIdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      AllowUnauthenticatedIdentities: false
      IdentityPoolName: Dummy

  DummyUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      DeletionProtection: 'ACTIVE'
      EnabledMfas:
        - 'SMS_MFA' #SMS_MFA can only be enabled if SMS configuration is provided.
      MfaConfiguration: 'ON'
      SmsConfiguration:
        ExternalId: Test
        SnsCallerArn: !GetAtt SnsSmsCallerRole.Arn
        SnsRegion: !Ref AWS::Region

  SnsSmsCallerRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: cognito-idp.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: CognitoSNSPublish
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - sns:Publish
                Resource:
                  - Fn::Sub: arn:aws:sns:*:*:*

当我将“CognitoSNSPublish”策略下的资源设置为通配符(如 

Resource: *
)时,模板就会部署,并且它可以工作,可以部署。 问题是,当我将资源更改为特定的时,例如 
Resource: arn:aws:sns:*:*:*
Resource: arn:aws:sns:sns:*:*
Resource: arn:aws:sns:<my-region>:*:*
Resource: arn:aws:sns:<my-region>:<my-account-id>:*
,它会失败并出现以下错误:

Resource handler returned message: "Role does not have permission to publish with SNS (Service: CognitoIdentityProvider, Status Code: 400, Request ID: 338a4-9de1-47f0536218f0)" (RequestToken: 101a93b5-q0lo-5e4c-810d-lol22j2nsa2, HandlerErrorCode: InvalidRequest)
amazon-web-services aws-cloudformation amazon-cognito amazon-iam
1个回答
0
投票

sns:Publish
动作仅适用于 
sns
。它不能与任何其他服务一起使用。因此 
Resource: *
将有效地将您的行动限制为仅 
sns

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.