如何使用 role_arn 向 terraform 提供 s3 后端和 ec2 的不同 aws 凭证

Question

如何使用 role_arn 向 terraform 提供 s3 后端和 ec2 的不同 aws 凭证

Ran*_*uru 6 amazon-s3 amazon-ec2 amazon-web-services terraform terraform-provider-aws

我想将 terraform 状态文件存储在一个 aws 账户的 s3 存储桶中，并使用 role_arn 使用在另一个 aws 账户中部署实例更改。\n这是我的配置：
\ nproviders.tf

\n

terraform {\n  backend "s3" {\n    bucket = "bucket"\n    key = "tf/terraform.tfstate"\n    encrypt = "false"\n    region = "us-east-1"\n    profile = "s3"\n    role_arn = "arn:aws:iam::1111111111111:role/s3-role"\n    dynamodb_table = "name"\n  }\n}\n\nprovider "aws" {\n  profile = "ec2"\n  region = "eu-north-1"\n  assume_role {\n    role_arn = "arn:aws:iam::2222222222222:role/ec2-role"\n  }\n}\n

Run Code Online (Sandbox Code Playgroud)\n

〜/.aws/凭证

\n

[s3-def]\naws_access_key_id = aaaaaaaaaa\naws_secret_access_key = sssssssss\n[ec2-def]\naws_access_key_id = aaaaaaa\naws_secret_access_key = sssss\n[s3]\nrole_arn = arn:aws:iam::1111111111:role/s3-role\nregion = us-east-1\nsource_profile = s3-def\n[ec2]\nrole_arn = arn:aws:iam::22222222222:role/ec2-role\nregion = eu-north-1\nsource_profile = ec2-def\n

Run Code Online (Sandbox Code Playgroud)\n

当我尝试 terraform init -migrate-state 时，我得到：

\n

2022-08-03T17:23:21.334+0300 [INFO]  Terraform version: 1.2.5\n2022-08-03T17:23:21.334+0300 [INFO]  Go runtime version: go1.18.1\n2022-08-03T17:23:21.334+0300 [INFO]  CLI args: []string{"terraform", "init", "-migrate-state"}\n2022-08-03T17:23:21.334+0300 [INFO]  Loading CLI configuration from /\n2022-08-03T17:23:21.335+0300 [INFO]  CLI command args: []string{"init", "-migrate-state"}\n\nInitializing the backend...\n2022-08-03T17:23:21.337+0300 [WARN]  backend config has changed since last init\nBackend configuration changed!\n\nTerraform has detected that the configuration specified for the backend\nhas changed. Terraform will now check for existing state in the backends.\n\n2022-08-03T17:23:21.338+0300 [INFO]  Attempting to use session-derived credentials\n\xe2\x95\xb7\n\xe2\x94\x82 Error: error configuring S3 Backend: no valid credential sources for S3 Backend found.\n\xe2\x94\x82 \n\xe2\x94\x82 Please see https://www.terraform.io/docs/language/settings/backends/s3.html\n\xe2\x94\x82 for more information about providing credentials.\n\xe2\x94\x82 \n\xe2\x94\x82 Error: NoCredentialProviders: no valid providers in chain. Deprecated.\n

Run Code Online (Sandbox Code Playgroud)\n

我只是不明白这个错误是什么，甚至可以向 s3 和 ec2 提供两组不同的凭据？

\n

Answer 1

小智 0

您的问题似乎是您无法进行身份验证来管理远程状态。在您开始基本工作之前，请勿尝试处理其他帐户中的资源terraform init。

完成该操作后，请使用提供商别名来访问多个帐户。 https://developer.hashicorp.com/terraform/language/providers/configuration#alias-multiple-provider-configurations

归档时间：	3 年，1 月前
查看次数：	1809 次
最近记录：	2 年前