英文:
How do I make Cloudformation give more verbose debugging output?
问题
I'm attempting to automate creation of some IAM policies (technically, these are KMS key policies, but I think that doesn't matter in this case) in Cloudformation in a way that is that avoids any real hard-coded strings. However, this entails a lot of Joins and References, and while I can validate that the yaml is well-formed and the stack will execute, it fails and the policy that is being generated is returning the MalformedPolicyDocument Exception.
Is it possible to have Cloudformation print or log the resultant policy it generates so that I can see what the discrepancy is?
Here's a small snippet, I've double-checked that the parameters referenced here are defined correctly:
- Sid: "Allow security roles in all accounts to encrypt data"
Effect: "Allow"
Principal:
AWS:
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref "AWS::AccountId"
- ':role/'
- !Ref SecurityRolePrefix
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref AdditionalAccount1
- ':role/'
- !Ref SecurityRolePrefix
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref AdditionalAccount2
- ':role/'
- !Ref SecurityRolePrefix
Action: "kms:GenerateDataKey*"
Resource: '*'
英文:
I'm attempting to automate creation of some IAM policies (technically, these are KMS key policies, but I think that doesn't matter in this case) in Cloudformation in a way that is that avoids any real hard-coded strings. However, this entails a lot of Joins and References, and while I can validate that the yaml is well-formed and the stack will execute, it fails and the policy that is being generated is returning the MalformedPolicyDocument Exception.
Is it possible to have Cloudformation print or log the resultant policy it generates so that I can see what the discrepancy is?
Here's a small snippet, I've double-checked that the parameters referenced here are defined correctly:
- Sid: "Allow security roles in all accounts to encrypt data"
Effect: "Allow"
Principal:
AWS:
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref "AWS::AccountId"
- ':role/'
- !Ref SecurityRolePrefix
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref AdditionalAccount1
- ':role/'
- !Ref SecurityRolePrefix
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref AdditionalAccount2
- ':role/'
- !Ref SecurityRolePrefix
Action: "kms:GenerateDataKey*"
Resource: '*'
答案1
得分: 2
Fn::Sub
比 Fn::Join
更容易使用,如果你要连接空字符串:
!Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${SecurityRolePrefix}
CloudFormation Linter 及其 Visual Studio Code extension 可帮助您在编写模板时进行调试。
您还可以在 CloudTrail 中查看 CloudFormation 执行的确切 API 调用。
某些资源,如 EC2 和 Lambda 资源,还可以发出 CloudWatch 日志。
英文:
Fn::Sub
has easier syntax than Fn::Join
if you're joining with empty strings:
!Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${SecurityRolePrefix}
The CloudFormation Linter and its Visual Studio Code extension can help you debug while you write your template
You can also see the exact API calls CloudFormation made in CloudTrail
Some resources like EC2 and Lambda resources may also emit CloudWatch logs
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论