确定 Terraform 配置所需的最低 AWS 权限的最有效方法是什么? [英] What's the most efficient way to determine the minimum AWS permissions necessary for a Terraform configuration?
问题描述
我在 AWS 上有一个 Terraform 配置目标部署.当使用有权执行任何操作的 IAM 用户时,它非常适用(即 {actions: ["*"], resources: ["*"]}.
I have a Terraform configuration targeting deployment on AWS. It applies beautifully when using an IAM user that has permission to do anything (i.e. {actions: ["*"], resources: ["*"]}.
为了实现此 Terraform 配置应用程序的自动化,我想确定最初应用配置和影响后续更改所需的最小 组权限.我特别想避免在政策中给予过于宽泛的权限,例如{actions: ["s3:*"], resources: ["*"]}.
In pursuit of automating the application of this Terraform configuration, I want to determine the minimum set of permissions necessary to apply the configuration initially and effect subsequent changes. I specifically want to avoid giving overbroad permissions in policy, e.g. {actions: ["s3:*"], resources: ["*"]}.
到目前为止,我只是在运行 terraform apply 直到发生错误.我查看输出或 terraform 日志输出以查看失败的 API 调用,然后将其添加到部署用户策略中.EC2 和 S3 尤其令人沮丧,因为操作的名称似乎不一定与 API 方法名称一致.我花了几个小时才知道我有多远.
So far, I'm simply running terraform apply until an error occurs. I look at the output or at the terraform log output to see what API call failed and then add it to the deployment user policy. EC2 and S3 are particularly frustrating because the name of the actions seems to not necessarily align with the API method name. I'm several hours into this with easy way to tell how far long I am.
有没有更有效的方法来做到这一点?
如果 Terraform 建议我需要什么许可/操作,那就太好了,但这是最好留给 Hashicorp 的产品增强功能.
It'd be really nice if Terraform advised me what permission/action I need but that's a product enhancement best left to Hashicorp.
推荐答案
虽然我仍然相信这种超级严格的政策将是一个持续的痛苦并且可能会扼杀生产力(但可能取决于项目),但现在有一个工具可以解决这个.
While I still believe that such super strict policy will be a continuous pain and likely kill productivity (but might depend on the project), there is now a tool for this.
iamlive 使用 AWS 开发工具包的客户端监控功能来创建基于执行的最小策略API 调用.由于 Terraform 使用 AWS 开发工具包,因此这里也适用.
iamlive uses the Client Side Monitoring feature of the AWS SDK to create a minimal policy based on the executed API calls. As Terraform uses the AWS SDK, this works here as well.
与我之前(并已接受)的答案相比,iamlive 甚至应该正确执行实际的 IAM 操作,这不一定与 API 调用 1:1 匹配(并且将由 CloudTrail 记录).
In contrast to my previous (and accepted) answer, iamlive should even get the actual IAM actions right, which not necessarily match the API calls 1:1 (and which would be logged by CloudTrail).
这篇关于确定 Terraform 配置所需的最低 AWS 权限的最有效方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
