如何解决terraform中的任务执行IAM角色
我正在创建一个IAM角色来执行任务。我已经在cloudformation中完成了工作,现在我正在以terraform进行操作,但是我遇到的问题是在cloudformation中有一个属性可以赋予ManagedPolicyArns
,但您将如何在terraform中给出它。我同时附上了两个脚本。 Terraform脚本不完整,cloudformation脚本完成后我需要帮助,我想将其复制到terraform。
地形:
resource "aws_iam_role" "task_execution" {
name = "task-execution-${terraform.workspace}"
assume_role_policy = <<EOF
{
"Version": "2012-10-17","Statement": [
{
"Action": "sts:AssumeRole","Principal": {
"Service": "ecs-tasks.amazonaws.com"
},"Effect": "Allow","Sid": "","path": "/",}
]
}
EOF
tags = {
tag-key = "tag-value"
}
}
Cloudformation
---
AWSTemplateFormatVersion: 2010-09-09
Parameters:
Env:
Type: String
Resources:
ExRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
RoleName: !Sub "excutionrole-${Env}"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
Policies:
- PolicyName: AccessECR
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ecr:BatchGetImage
- ecr:GetAuthorizationToken
- ecr:GetDownloadUrlForLayer
Resource: '*'
解决方法
在Terraform中,您可以使用iam_role_policy_attachment资源将策略附加到角色:
resource "aws_iam_role_policy_attachment" "test-attach" {
role = aws_iam_role.test_role.name
policy_arn = // ARN of the managed policy
}
,
SSSSSS
仅用于
信任关系(即谁/谁可以担任此角色)。从而,
您的assume_role_policy
应该是:
aws_iam_role
然后,所需的权限可以附加到角色,如下所示:
resource "aws_iam_role" "test_role" {
name = "s3_access"
assume_role_policy = <<EOF
{
"Version": "2012-10-17","Statement": [
{
"Sid": "1","Effect": "Allow","Principal": {
"Service": "ecs-tasks.amazonaws.com"
},"Action": "sts:AssumeRole"
}
]
}
EOF
tags = {
tag-key = "tag-value"
}
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。