创建IAM角色时出错.MalformedPolicyDocument:具有禁止字段Resource.地貌 [英] Error creating IAM Role. MalformedPolicyDocument: Has prohibited field Resource. Terraform
问题描述
我看过几个链接,但我必须看一个例子.我有:
I have seen several links, but I have to see an example. I have:
resource "aws_iam_role" "role" {
name = "role"
assume_role_policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1590217939125",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::wwe"
},
{
"Sid": "Stmt1590217939125",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::wwe/*"
},
{
"Sid": "Stmt1577967806846",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetRandomPassword",
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:ListSecrets"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
tags = {
Name = wwe
Environment = STAGE
}
}
我正在制作时,
terraform apply
我看到了:
# aws_iam_role.role will be created
+ resource "aws_iam_role" "role" {
+ arn = (known after apply)
+ assume_role_policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "s3:*"
+ Effect = "Allow"
+ Resource = "arn:aws:s3:::wwe"
+ Sid = "Stmt1590217939125"
},
+ {
+ Action = "s3:*"
+ Effect = "Allow"
+ Resource = "arn:aws:s3:::wwe/*"
+ Sid = "Stmt1590217939125"
},
+ {
+ Action = [
+ "secretsmanager:DescribeSecret",
+ "secretsmanager:GetRandomPassword",
+ "secretsmanager:GetResourcePolicy",
+ "secretsmanager:GetSecretValue",
+ "secretsmanager:ListSecretVersionIds",
+ "secretsmanager:ListSecrets",
]
+ Effect = "Allow"
+ Resource = "*"
+ Sid = "Stmt1577967806846"
},
]
+ Version = "2012-10-17"
}
)
+ create_date = (known after apply)
+ force_detach_policies = false
+ id = (known after apply)
+ max_session_duration = 3600
+ name = "role"
+ path = "/"
+ tags = {
+ "Environment" = "STAGE"
+ "Name" = "wwe"
}
+ unique_id = (known after apply)
}
之后,当我写是时,我看到:
After, when I am writing yes, I see:
Error: Error creating IAM Role role: MalformedPolicyDocument: Has prohibited field Resource
status code: 400
我在哪里出错?请不要发布指向相同问题的链接.我不明白,如果我有错误,请问我有一个错误,如果可能的话,请写一个例子.感谢您的关注.
Where, I have an error ? Please don't post links, to the same questions. I don't understand, where I have an error, Could You please write an example, where I have an error, If it possible. Thanks for Your attention.
推荐答案
一个问题是您有两个带有相同Sid 的语句: Stmt1590217939125 .
One issue is that you have two statements with the same Sid: Stmt1590217939125.
Sid必须为唯一.从 docs :
在IAM中,JSON策略中的Sid值必须唯一.
第二个问题是 assume_role_policy 是用于信任策略的.信任策略没有资源.它们具有不同的形式.对于实例:
The second issue is that assume_role_policy is for a trust policy. Trust policies do not have Resource. They have different form. For instance:
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
要将您的策略添加到该角色,必须使用 aws_iam_role_policy_attachment .例如,您可以这样做:
To add your policies to the role, have to use aws_iam_role_policy_attachment. For example, you could do:
resource "aws_iam_policy" "policy" {
name = "my-role"
description = "My policy"
policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1590217939128",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::wwe"
},
{
"Sid": "Stmt1590217939125",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::wwe/*"
},
{
"Sid": "Stmt1577967806846",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetRandomPassword",
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:ListSecrets"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "test-attach" {
role = "${aws_iam_role.role.name}"
policy_arn = "${aws_iam_policy.policy.arn}"
}
这篇关于创建IAM角色时出错.MalformedPolicyDocument:具有禁止字段Resource.地貌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
