无法用 Fn Sub 或 !Sub 正确替换 cloudformation

问题描述 投票:0回答:1

我尝试了几种方法来替换 EBS CSI 驱动程序服务帐户的以下 IAM 角色。但是我不断收到格式错误或替换无效

我尝试过的-

  EBSCSIDriverRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Federated: !Ref EKSClusterOIDCProvider
            Action: sts:AssumeRoleWithWebIdentity
            Condition:
              StringEquals: !Sub
                - '${OIDCProvider}:sub': 'system:serviceaccount:kube-system:ebs-csi-controller-sa'
                - OIDCProvider: !GetAtt EKSCluster.OpenIdConnectIssuerUrl
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy

或使用 Fn:sub

EBSCSIDriverRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Effect: Allow
          Principal:
            Federated: !Ref EKSClusterOIDCProvider
          Action: sts:AssumeRoleWithWebIdentity
          Condition:
            StringEquals:
              Fn::Sub: 
                - "${OIDCProvider}:sub"
                - OIDCProvider: !Ref EKSClusterOIDCProvider
              : "system:serviceaccount:kube-system:ebs-csi-controller-sa"
    ManagedPolicyArns:
      - arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy

一切都给了我

Template error: One or more Fn::Sub intrinsic functions don't specify expected arguments. Specify a string as first argument, and an optional second argument to specify a mapping of values to replace in the string

我仔细检查了文档https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-sub.html

也尝试过仅使用字符串,例如:

 Condition:
              StringEquals: !Sub
                - "${OIDCProvider}:sub: system:serviceaccount:kube-system:ebs-csi-controller-sa"
                - OIDCProvider: !GetAtt EKSCluster.OpenIdConnectIssuerUrl

虽然这不再引发格式错误,但当我部署更新云信息时会引发错误

Resource handler returned message: "Syntax error at position (1,210) (Service: Iam, Status Code: 400, Request ID: 397c0cf6-8576-4e8c-ada3-682b23b782e0)" (RequestToken: 582869e7-cba5-4c3c-7418-fcf5845c4eb1, HandlerErrorCode: InvalidRequest)

并尝试了一些其他的模式组合,但没有成功。任何人都可以对此有所了解吗?

提前致谢!

amazon-web-services yaml aws-cloudformation substitution
1个回答
0
投票

我得到了一个解决方法,因为条件中的 StringEquals 属性需要一个动态值,例如以下特殊情况: oidc.eks.${AWS::Region}.amazonaws.com/id/$some_id:sub

这是不寻常的,并且针对我意识到的这个案例。

什么在起作用:

EBSCSIDriverRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument: !Sub
        - |
          {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Effect": "Allow",
                "Principal": {
                  "Federated": "${OIDCProviderArn}"
                },
                "Action": "sts:AssumeRoleWithWebIdentity",
                "Condition": {
                  "StringEquals": {
                    "${OIDCProviderUrl}:sub": "system:serviceaccount:kube-system:ebs-csi-controller-sa"
                  }
                }
              }
            ]
          }
        - OIDCProviderArn: !Ref EKSClusterOIDCProvider
          OIDCProviderUrl: 
            !Select 
              - 1
              - !Split ["https://", !GetAtt EKSCluster.OpenIdConnectIssuerUrl]
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.