Mac*_*ers 5 amazon-s3 amazon-web-services terraform assume-role
几天来我一直在试图解开这个谜团,但没有任何乐趣。基本上,Terraform 无法发挥作用并失败:
\n\nInitializing the backend...\n2019/10/28 09:13:09 [DEBUG] New state was assigned lineage "136dca1a-b46b-1e64-0ef2-efd6799b4ebc"\n2019/10/28 09:13:09 [INFO] Setting AWS metadata API timeout to 100ms\n2019/10/28 09:13:09 [INFO] Ignoring AWS metadata API endpoint at default location as it doesn\'t return any instance-id\n2019/10/28 09:13:09 [INFO] AWS Auth provider used: "SharedCredentialsProvider"\n2019/10/28 09:13:09 [INFO] Attempting to AssumeRole arn:aws:iam::72xxxxxxxxxx:role/terraform-admin-np (SessionName: "terra_cnp", ExternalId: "", Policy: "")\n\nError: The role "arn:aws:iam::72xxxxxxxxxx:role/terraform-admin-np" cannot be assumed.\n\n There are a number of possible causes of this - the most common are:\n * The credentials used in order to assume the role are invalid\n * The credentials do not have appropriate permission to assume the role\n * The role ARN is not valid\n我有角色:terraform-admin-np和 2 个AWS 托管策略: AmazonS3FullAccess&AdministratorAccess并与之建立信任关系:
"Version": "2012-10-17",\n "Statement": [\n {\n "Effect": "Allow",\n "Principal": {\n "AWS": "arn:aws:iam::72xxxxxxxxxx:root"\n },\n "Action": "sts:AssumeRole"\n }\n ]\n}\n然后我就有了一个用户:
\n\n{\n "Version": "2012-10-17",\n "Statement": [\n {\n "Sid": "TfFullAccessSts",\n "Effect": "Allow",\n "Action": [\n "sts:AssumeRole",\n "sts:DecodeAuthorizationMessage",\n "sts:AssumeRoleWithSAML",\n "sts:AssumeRoleWithWebIdentity"\n ],\n "Resource": "*"\n },\n {\n "Sid": "TfFullAccessAll",\n "Effect": "Allow",\n "Action": "*",\n "Resource": [\n "*",\n "arn:aws:ec2:region:account:network-interface/*"\n ]\n }\n ]\n}\n和一个S3 存储桶:txxxxxxxxxxxxxxte附有此政策文档:
{\n "Version": "2012-10-17",\n "Statement": [\n {\n "Sid": "TFStateListBucket",\n "Effect": "Allow",\n "Principal": {\n "AWS": "arn:aws:iam::72xxxxxxxxxx:root"\n },\n "Action": "s3:ListBucket",\n "Resource": "arn:aws:s3:::txxxxxxxxxxxxxxte"\n },\n {\n "Sid": "TFStateGetPutObject",\n "Effect": "Allow",\n "Principal": {\n "AWS": "arn:aws:iam::72xxxxxxxxxx:root"\n },\n "Action": [\n "s3:GetObject",\n "s3:PutObject"\n ],\n "Resource": "arn:aws:s3:::txxxxxxxxxxxxxxte/*"\n }\n ]\n}\n片段来自provider.tf:
###---- Default Backend and Provider config values -----------###\nterraform {\n required_version = ">= 0.12"\n backend "s3" {\n encrypt = true\n }\n}\n\nprovider "aws" {\n region = var.region\n version = "~> 2.20"\n profile = var.profile\n assume_role {\n role_arn = var.role_arn\n session_name = var.session_name\n }\n}\n后端配置片段tgw_cnp.tfvars:
##\xc2\xa0S3 backend config\nkey = "backend/tgw_cnp_state"\nbucket = "txxxxxxxxxxxxxxte"\nregion = "us-east-2"\nprofile = "local-tgw"\nrole_arn = "arn:aws:iam::72xxxxxxxxxx:role/terraform-admin-np"\nsession_name = "terra_cnp"\n然后这样运行:
\n\nTF_LOG=debug terraform init -backend-config=tgw_cnp.tfvars\n这样,我就可以使用 AWS CLI 承担角色,没有任何问题:
\n\n# aws --profile local-tgw sts assume-role --role-arn "arn:aws:iam::72xxxxxxxxxx:role/terraform-admin-np" --role-session-name AWSCLI\n{\n "Credentials": {\n "AccessKeyId": "AXXXXXXXXXXXXXXXXXXA",\n "SecretAccessKey": "UixxxxxxxxxxxxxxxxxxxxxxxxxxxxMt",\n "SessionToken": "FQoGZXIvYXdzEJb//////////wEaD......./5LFwNWf6riiNw9vtBQ==",\n "Expiration": "2019-10-28T13:39:41Z"\n },\n "AssumedRoleUser": {\n "AssumedRoleId": "AROA2P7ZON5TSWMOBQEBC:AWSCLI",\n "Arn": "arn:aws:sts::72xxxxxxxxxx:assumed-role/terraform-admin-np/AWSCLI"\n }\n}\n但 terraform 因上述错误而失败。知道我做错了什么吗?
\n好吧,回答我自己的问题……现在有效了。我犯了一个愚蠢的错误 - tgw_cnp.tfvarsregion中的错误,我一直错过了。在 AWS CLI 中,由于我不必指定区域(它是从配置文件中获取的),因此它可以正常工作,没有任何问题,但在 TF 中,我指定了区域,但值错误,因此失败。错误报告中的建议有点误导。
我可以确认上面的配置工作正常。现在一切都好了。
| 归档时间: |
|
| 查看次数: |
7017 次 |
| 最近记录: |