如何解决如何在具有Terraform的AWS中设置IAM角色?
由于我是terraform的新手,一旦我被困了将近一天,我想向您寻求帮助。
当尝试使用IAC在AWS上将Nginx服务部署到ECS(EC2启动类型)时,我面临以下问题:
Error: Error creating IAM Role nginx-iam_role: MalformedPolicyDocument: Has prohibited field Resource status code: 400,request id: 0f1696f4-d86b-4ad1-ba3b-9453f3beff2b
我已经检查了文档,语法很好。还有什么可能是错的?
按照代码段创建以下IAM:
provider "aws" {
region = "us-east-2"
}
data "aws_iam_policy_document" "nginx-doc-policy" {
statement {
sid = "1"
actions = [
"ec2:*"
]
resources = ["*"]
}
}
resource "aws_iam_role" "nginx-iam_role" {
name = "nginx-iam_role"
path = "/"
assume_role_policy = "${data.aws_iam_policy_document.nginx-doc-policy.json}"
}
resource "aws_iam_group_policy" "nginx-group-policy" {
name = "my_developer_policy"
group = "${aws_iam_group.nginx-iam-group.name}"
policy = "${data.aws_iam_policy_document.nginx-doc-policy.json}"
}
resource "aws_iam_group" "nginx-iam-group" {
name = "nginx-iam-group"
path = "/"
}
resource "aws_iam_user" "nginx-user" {
name = "nginx-user"
path = "/"
}
resource "aws_iam_user_group_membership" "nginx-membership" {
user = "${aws_iam_user.nginx-user.name}"
groups = ["${aws_iam_group.nginx-iam-group.name}"]
}
如果您需要其余代码:https://github.com/atilasantos/iac-terraform-nginx.git
解决方法
您正尝试将aws_iam_policy_document.nginx-doc-policy
策略用作assume_role_policy
,但不能用作假设角色策略需要定义您信任的主体并希望授予访问权限以承担您的角色创建。
假设角色策略可能看起来像这样,您想通过实例配置文件将对角色的访问权限授予EC2实例。最后,您可以通过新资源将初始角色作为内嵌策略附加到该角色:
data "aws_iam_policy_document" "instance-assume-role-policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
resource "aws_iam_role" "nginx-iam_role" {
name = "nginx-iam_role"
path = "/"
assume_role_policy = data.aws_iam_policy_document.instance-assume-role-policy.json
}
resource "aws_iam_role_policy" "role_policy" {
name = "role policy"
role = aws_iam_role.nginx-iam_role.id
policy = data.aws_iam_policy_document.nginx-doc-policy.json
}
除了将策略作为内联策略附加之外,您还可以创建IAM策略并将其附加到各种iam资源。 (例如,角色为aws_iam_policy
和aws_iam_role_policy_attachment
。)
我们创建了一堆开源IAM modules(和others)来简化IAM的处理:Find them here on github。但是还有更多模块可以尝试。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。