Ant*_*ong 0 terraform terraform-provider-aws
这是我在 terraform 中的 aws_iam_role 定义
resource "aws_iam_role" "server_role" {
name = "server-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeEnvironment",
"sqs:ChangeMessageVisibility",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"s3:GetObject*",
"s3:ListBucket*",
"s3:PutBucket*",
"s3:PutObject*"
],
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
但是当我尝试运行时出现此错误terraform plan:
错误:应用计划时出错:
发生了 1 个错误:
aws_iam_role.server_role:发生 1 个错误:
aws_iam_role.server_role:创建 IAM 角色服务器角色时出错:MalformedPolicyDocument:AssumeRole 策略只能指定 STS AssumeRole 操作。状态代码:400,请求 ID:55f1bfaf-a121-11e9-acaf-bb57d635757b
我基本上想让服务器读/写 S3 存储桶和读/写 SQS 队列。
显然,我不能添加这些sqs:*,并s3:*在同一个地方。我怎样才能在 terraform 中做到这一点?
您对 IAM 策略和 IAM 承担角色策略感到困惑。尝试如下。它将为 EC2 创建 IAM 配置文件,您可以将其附加到您的 EC2 实例。
resource "aws_iam_role" "server_role" {
name = "server-role"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_policy" "server_policy" {
name = "server_policy"
path = "/"
description = "TBD"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:ChangeMessageVisibility",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"s3:GetObject*",
"s3:ListBucket*",
"s3:PutBucket*",
"s3:PutObject*"
],
"Resource": [
"*"
]
,
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "server_policy" {
role = "${aws_iam_role.server_role.name}"
policy_arn = "${aws_iam_policy.server_policy.arn}"
}
resource "aws_iam_instance_profile" "server" {
name = "server_profile"
role = "${aws_iam_role.server_role.name}"
}
| 归档时间: |
|
| 查看次数: |
2230 次 |
| 最近记录: |