Bun*_*ker 0 amazon-web-services amazon-iam terraform terraform-provider-aws
我正在尝试使用 terraform 将以下策略添加到 iam 用户。如何在 upload_user_user 的策略中添加帐户 ID?
resource "aws_iam_user" "product_upload_user" {
name = "cc-${terraform.workspace}-product-upload-user"
}
resource "aws_iam_user_policy" "allow_upload" {
user = aws_iam_user.product_upload_user.name
policy = data.aws_iam_policy_document.allow_upload.json
}
data "aws_iam_policy_document" "allow_upload" {
statement {
sid = "STSToken"
effect = "Allow"
actions = ["sts:GetFederationToken"]
# resources = ["arn:aws:sts::${aws_iam_user.product_upload_user.<account_id>}:federated-user/S3UploadWebToken"]
}
}
尝试实施本教程中的策略:https://next-s3-upload.codingvalue.com/setup
您可以使用 Terraform 数据资源aws_caller_identity。数据资源具有account_id可以导出的属性。这也可以防止将帐户 ID 硬编码到您的代码中。我已经在您的代码中添加了可以测试的附加内容。
resource "aws_iam_user" "product_upload_user" {
name = "cc-${terraform.workspace}-product-upload-user"
}
resource "aws_iam_user_policy" "allow_upload" {
user = aws_iam_user.product_upload_user.name
policy = data.aws_iam_policy_document.allow_upload.json
}
data "aws_iam_policy_document" "allow_upload" {
statement {
sid = "STSToken"
effect = "Allow"
actions = ["sts:GetFederationToken"]
resources = ["arn:aws:sts::${data.aws_caller_identity.current.account_id}:federated-user/S3UploadWebToken"]
}
}
data "aws_caller_identity" "current" {}
| 归档时间: |
|
| 查看次数: |
1277 次 |
| 最近记录: |