djs*_*dog 5 amazon-web-services amazon-iam terraform amazon-ecr terraform-provider-aws
在这个答案的后面,我试图创建一个aws_iam_role允许访问 ECR 的。但是,当我定义以下内容时:
resource "aws_iam_role" "jenkins_ecr_role" {
name = "JenkinsECRRole"
assume_role_policy = <<END_OF_POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecr.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
END_OF_POLICY
}
我收到错误:
Error: Error creating IAM Role JenkinsECRRole:
MalformedPolicyDocument: Invalid principal in policy: "SERVICE":"*"
ecr.amazonaws.com根据 AWS 文档,它看起来是一个有效的委托人。我究竟做错了什么?
我认为您正在尝试授予 EC2 访问 ECR 的权限。为此,您需要为 ECR 创建 IAM 策略并为 EC2 创建 IAM 角色并将该角色附加到该策略。
请参考这段代码:
resource "aws_iam_role" "role" {
name = "test-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:*",
"cloudtrail:LookupEvents"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "test-attach" {
role = "${aws_iam_role.role.name}"
policy_arn = "${aws_iam_policy.policy.arn}"
}
希望能帮助到你。
| 归档时间: |
|
| 查看次数: |
5262 次 |
| 最近记录: |