Mia*_*ian 2 amazon-ec2 amazon-iam terraform terraform-provider-aws
我正在使用 Terraform 创建 IAM 和 EC2,如下所示。
我想将一个名为ec2_roleEC2 实例配置文件的角色附加到该 EC2 实例配置文件中。但它似乎只能附加由 . 创建的一个aws_iam_instance_profile。
resource "aws_instance" "this" {
# ..
iam_instance_profile = aws_iam_instance_profile.this.name
}
resource "aws_iam_instance_profile" "this" {
name = "ec2-profile"
role = aws_iam_role.ec2_role.name
}
关于ec2_role,它使用ec2_role_policy. 但如果我设置source_json = data.aws_iam_policy.amazon_ssm_managed_instance_core.policy为data "aws_iam_policy_document" "ec2_role_policy" {,它会引发错误。
resource "aws_iam_role" "ec2_role" {
name = "ec2-role"
assume_role_policy = data.aws_iam_policy_document.ec2_role_policy.json
}
resource "aws_iam_policy" "ec2_policy" {
name = "ec2-policy"
policy = data.aws_iam_policy_document.ec2_use_role_policy.json
}
resource "aws_iam_role_policy_attachment" "attach" {
role = aws_iam_role.ec2_role.name
policy_arn = aws_iam_policy.ec2_policy.arn
}
data "aws_iam_policy" "amazon_ssm_managed_instance_core" {
arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
data "aws_iam_policy_document" "ec2_role_policy" {
source_json = data.aws_iam_policy.amazon_ssm_managed_instance_core.policy
statement { # Doc A
effect = "Allow"
principals {
identifiers = ["ec2.amazonaws.com"]
type = "Service"
}
actions = ["sts:AssumeRole"]
}
}
data "aws_iam_policy_document" "ec2_use_role_policy" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
resources = ["arn:aws:iam::12313113231:role/s3-role"]
}
}
错误信息是:
Error: Error creating IAM Role ec2-role: MalformedPolicyDocument: Has prohibited field Resource
status code: 400, request id: 1111111-3333-2222-4444-2131331312
with aws_iam_role.ec2_role,
on main.tf line 10, in resource "aws_iam_role" "ec2_role":
10: resource "aws_iam_role" "ec2_role" {
source_json = data.aws_iam_policy.amazon_ssm_managed_instance_core.policy如果我从 中删除ec2_role_policy,它就会起作用。但如何设置在一起Doc A呢?
小智 5
尽管一个角色可以包含在多个实例配置文件中,但实例配置文件只能包含一个 IAM 角色。每个实例配置文件一个角色的这一限制无法增加。您可以删除现有角色,然后将不同的角色添加到实例配置文件中。然后,由于最终一致性,您必须等待更改出现在整个 AWS 中。要强制更改,您必须取消关联实例配置文件,然后关联实例配置文件,或者您可以停止实例然后重新启动它。请参阅以下文档以获取进一步查询: https: //docs.aws.amazon.com/ IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
正如@hars34 在他们的回答中提到的,实例配置文件只能包含一个角色,但该角色可以附加多个策略。但这不是您在那里所做的事情,也不是错误所抱怨的事情。
相反,您似乎对角色的assume_role_policy(也称为“信任策略”,它控制允许哪些 IAM 委托人使用该角色,例如其他 AWS 服务或不同的 AWS 账户等)以及该角色的权限策略感到困惑。允许角色执行哪些操作(例如读取和写入 S3 存储桶)。
在assume_role_policy/trust 策略文档中,您必须指定一个有效的信任策略,该策略必须包含一个Principal块,并且不能包含Resource您的错误消息所抱怨的块:
Error: Error creating IAM Role ec2-role: MalformedPolicyDocument: Has prohibited field Resource
status code: 400, request id: 1111111-3333-2222-4444-2131331312
因为您已将允许 EC2 实例代入该角色的信任策略与如下所示的权限策略连接起来:
Error: Error creating IAM Role ec2-role: MalformedPolicyDocument: Has prohibited field Resource
status code: 400, request id: 1111111-3333-2222-4444-2131331312
其中包含Resource块。
如果您希望角色能够使用该arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore策略并且也能够承担该arn:aws:iam::12313113231:role/s3-role角色(尽管直接向角色授予权限而不是使用角色链会更正常,并且如果这涉及跨帐户访问以使用S3 存储桶策略允许该角色),那么您应该这样做:
resource "aws_iam_role" "ec2_role" {
name = "ec2-role"
assume_role_policy = data.aws_iam_policy_document.ec2_assume_role_policy.json
}
resource "aws_iam_policy" "ec2_permission_policy" {
name = "ec2-policy"
policy = data.aws_iam_policy_document.ec2_permission_policy.json
}
resource "aws_iam_role_policy_attachment" "attach" {
role = aws_iam_role.ec2_role.name
policy_arn = aws_iam_policy.ec2_permission_policy.arn
}
data "aws_iam_policy" "amazon_ssm_managed_instance_core" {
arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
data "aws_iam_policy_document" "ec2_assume_role_policy" {
statement {
effect = "Allow"
principals {
identifiers = ["ec2.amazonaws.com"]
type = "Service"
}
actions = ["sts:AssumeRole"]
}
}
data "aws_iam_policy_document" "ec2_permission_policy" {
source_json = data.aws_iam_policy.amazon_ssm_managed_instance_core.policy
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
resources = ["arn:aws:iam::12313113231:role/s3-role"]
}
}
| 归档时间: |
|
| 查看次数: |
2107 次 |
| 最近记录: |