如何使用 Terraform 创建没有代入角色策略的 AWS IAM 角色? [英] How To Use Terraform To Create an AWS IAM Role with No Assume Role Policy?
问题描述
使用 AWS MediaConvert 时,说明提供了 示例 IAM 策略 没有代入角色部分.同样,在 AWS IAM 控制台中创建默认 MediaConvert 角色时,生成的 IAM 角色也没有信任策略.
When using AWS MediaConvert the instructions provide a sample IAM policy that has no assume role section. Similarly, when creating a default MediaConvert role in the AWS IAM console the resulting IAM role also has no trust policy.
在 Terraform 中,我如何创建 IAM 角色 带有空的 assume_role_policy 参数?
In Terraform, how do I create an IAM role with an empty assume_role_policy argument?
我尝试了以下解决方案,但结果出现了各种错误:
I have tried the following solutions with various resulting errors:
- 设置
assume_role_policy = "" - 设置
assume_role_policy = "{}" - 创建一个空的
data aws_iam_policy_document,并将assume_role_policy设置为文档的json结果.
- Set
assume_role_policy = "" - Set
assume_role_policy = "{}" - Create an empty
data aws_iam_policy_documentand set assume_role_policy to the json result of the document.
如果空的代入角色策略不是解决方案,那么如何使用适用于 MediaConvert 的 terraform 创建 IAM 角色?
If an empty assume role policy is not the solution, then how do I create an IAM role using terraform that is appropriate for MediaConvert?
预先感谢您的考虑和回复.
Thank you in advance for your consideration and response.
推荐答案
您似乎对需要定义代入角色策略的位置感到困惑.这不是策略本身使用的,而是角色使用它来确定允许哪些服务或帐户使用该角色.
You seem to be confused about where the assume role policy needs to be defined. This isn't used by the policies themselves, instead it's used by the role to work out what services or accounts are allowed to use the role.
该角色需要一个 assume_role_policy 以允许 mediaconvert 服务能够承担该角色.之后,该角色可以使用附加到该角色的策略(作为托管策略或内联策略)提供的任何权限.
The role needs an assume_role_policy to allow the mediaconvert service to be able to assume the role. After that the role can use any of the permissions provided by the policy/policies attached to the role (either as managed policies or inline).
您的代入角色政策应如下所示:
Your assume role policy for this should then look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "mediaconvert.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
用于创建角色和策略的 Terraform 代码将如下所示:
Your Terraform code to create the role and policy would then look something like this:
data "aws_iam_policy_document" "mediaconvert_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["mediaconvert.amazonaws.com"]
}
}
}
resource "aws_iam_role" "mediaconvert" {
name = "example"
path = "/system/"
assume_role_policy = data.aws_iam_policy_document.mediaconvert_assume_role_policy.json
}
resource "aws_iam_role_policy_attachment" "mediaconvert_s3" {
role = aws_iam_role.mediaconvert.name
policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}
resource "aws_iam_role_policy_attachment" "mediaconvert_api_gateway" {
role = aws_iam_role.mediaconvert.name
policy_arn = "arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess"
}
这将创建一个可由 MediaConvert 服务承担的角色,然后允许 MediaConvert 服务使用 S3 或 API 网关执行任何操作.您可能想要选择为角色授予更细粒度的权限,或者您可能只是很高兴 MediaConvert 不会做任何您不希望它做的事情.
This would create a role that can be assumed by the MediaConvert service and then allows the MediaConvert service the ability to do anything with S3 or API Gateway. You might want to choose to give more fine grained permissions to the role or you might just be happy that MediaConvert isn't going to do anything you don't want it to do anyway.
这篇关于如何使用 Terraform 创建没有代入角色策略的 AWS IAM 角色?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
