我正在尝试创建一个具有云形成的模板,该模板设置一个负载均衡器,将日志写入S3存储桶.我想限制只PutObject访问负载均衡器帐户或服务,而不是给所有人(例如*)提供完全访问权限:
{
"Resources": {
"LoggingBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "LoggingBucket"
},
"PolicyDocument": {
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "LoggingBucket"
},
"/*"
]
]
},
"Principal": {
"Ref": "ElasticLoadBalancingAccountID" //How do I set this dynamically?
}
}
}
}
}
}
该文档提供了各个地区的ELB实例的帐户ID.但是,我正在创建的模板具有可用区参数,用户可以在其中选择可用区来部署堆栈.所以我理想的做法是ref在我的存储桶策略中有一些变量,它根据可用区获取负载均衡器的帐户ID.
我还查看了官方文档中的示例,但确实使用的一个示例Ref并没有真正定义变量.
我该如何实现这一目标?
编辑:我的意思是可用区而不是区域.输入参数为用户提供区域中可用区域的下拉.
我想到了.它不是真正的动态,但比直接硬编码id更好.根据亚马逊重新发明的演示文稿,正确的方法是首先定义映射:
{
"Mappings": {
"RegionalConfigs": {
"us-east-1": {
"AMI": "",
"ELBAccountId": "127311923021",
"ArnPrefix": "arn:aws:"
},
"us-west-1": {
"AMI": "",
"ELBAccountId": "027434742980",
"ArnPrefix": "arn:aws:"
},
"us-west-2": {
"AMI": "",
"ELBAccountId": "797873946194",
"ArnPrefix": "arn:aws:"
}
}
}
}
然后在策略中使用它:
{
"Resources": {
"LoggingBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"PolicyDocument": {
"Version": "",
"Resource": {
"Fn::Join": [
"",
[
{
"Fn::FindInMap": [
"RegionalConfigs",
{
"Ref": "AWS::Region"
},
"ArnPrefix"
]
},
"s3:::",
{
"Ref": "LoggingBucket"
},
"/",
"Logs",
"/AWSLogs/",
{
"Ref": "AWS::AccountId"
},
"/*"
]
]
},
"Principal": {
"AWS": {
"Fn::FindInMap": [
"RegionalConfigs",
{
"Ref": "AWS::Region"
},
"ELBAccountId"
]
}
},
"Action": [
"s3:PutObject"
]
},
"Bucket": {
"Ref": "LoggingBucket"
}
}
}
}
}
京公网安备 11010802040832号 | 京ICP备19059560号-6 
