我希望创建一个能够使用以下语法访问 s3 服务的 IAM 角色:
resource "aws_iam_role" "ec2_s3_fullAccess" {
name = "prod_ec2_s3_fullAccess"
path = "/"
assume_role_policy = data.aws_iam_policy_document.s3_access.json
}
resource "aws_iam_role_policy_attachment" "test-attach" {
role = aws_iam_role.ec2_s3_fullAccess.name
policy_arn = data.aws_iam_policy.s3_access.arn
}
resource "aws_iam_role_policy_attachment" "ec2-read-only-policy-attachment" {
role = "${aws_iam_role.ec2_iam_role.name}"
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
}
data "aws_iam_policy_document" "s3_access" {
statement {
sid = "SidToOverride"
actions = ["s3:*"]
resources = ["*"]
}
}
data "aws_iam_policy" "s3_access" {
arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}
但是,我收到以下错误消息:
创建 IAM 角色 prod_ec2_s3_fullAccess 时出错:MalformedPolicyDocument:已禁止字段资源 │ 状态代码:400,请求 ID:dddb80c9-77a1-4ac3-b54a-4fab751f11db │ │ 与 module.usersgroups.aws_iam_role.\iam_role.ec2,\modules\s\iaAccess.\ resources.tf 第 88 行,在资源“aws_iam_role”“ec2_s3_fullAccess”中:│ 88:资源“aws_iam_role”“ec2_s3_fullAccess”{
您assume_role_policy
应该告诉谁/什么可以承担该角色,而不是承担后的实际权限是什么。这样的政策没有resources
。所以应该是:
data "aws_iam_policy_document" "s3_access" {
version = "2012-10-17"
statement {
sid = ""
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
在您的情况下,我想您希望 ec2 实例能够承担该角色。
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句