添加权限时，Terraform AWS角色策略失败 [英] Terraform AWS role policy fails when adding permissions

问题描述

我需要使用Terraform为AWS创建一些角色策略，基本角色可以正常工作，但是当我添加S3和日志时，出现格式错误的错误:

I need to create some role policy for AWS using Terraform, the basic role works fine, but when I add S3 and logs, I get a malformed error:

aws_iam_role.lambda_exec_role_s3:创建IAM角色时出错lambda_exec_role_s3:MalformedPolicyDocument:禁止了字段资源 状态码:400

aws_iam_role.lambda_exec_role_s3: Error creating IAM Role lambda_exec_role_s3: MalformedPolicyDocument: Has prohibited field Resource status code: 400

这是失败的角色策略:

assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": "sts:AssumeRole",
        "Principal": {
            "Service": "lambda.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
    },
    {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": "arn:aws:logs:*:*:*"
    }
]
 }
  EOF

以下是工作角色政策:

assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": "sts:AssumeRole",
        "Principal": {
            "Service": "lambda.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
    }
]
}

推荐答案

您不能在承担角色策略中添加实际操作.

You can't add actual actions in an assume role policy.

假设角色策略用于限制如何假设角色(通过用户/EC2实例或ECS任务/AWS服务/跨账户角色等).

The assume role policy is for limiting how the role can be assumed (by users/EC2 instances or ECS tasks/AWS services/cross account roles etc).

您需要指定角色可以在策略中执行的实际操作，既可以是直接执行的，也可以是在附加到角色的托管策略中执行的操作.

You need to specify the actual actions the role can do in a policy, either in line or in a managed policy that is then attached to the role.

这篇关于添加权限时，Terraform AWS角色策略失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！