Terraform AWS 角色策略在添加权限时失败 [英] Terraform AWS role policy fails when adding permissions
问题描述
我需要使用 Terraform 为 AWS 创建一些角色策略,基本角色可以正常工作,但是当我添加 S3 和日志时,出现格式错误:
I need to create some role policy for AWS using Terraform, the basic role works fine, but when I add S3 and logs, I get a malformed error:
aws_iam_role.lambda_exec_role_s3:创建 IAM 角色 lambda_exec_role_s3 时出错:MalformedPolicyDocument:禁止字段资源状态码:400
aws_iam_role.lambda_exec_role_s3: Error creating IAM Role lambda_exec_role_s3: MalformedPolicyDocument: Has prohibited field Resource status code: 400
这是失败的角色策略:
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
}
EOF
这里是工作角色政策:
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
推荐答案
您不能在代入角色策略中添加实际操作.
You can't add actual actions in an assume role policy.
承担角色策略用于限制如何承担角色(通过用户/EC2 实例或 ECS 任务/AWS 服务/跨账户角色等).
The assume role policy is for limiting how the role can be assumed (by users/EC2 instances or ECS tasks/AWS services/cross account roles etc).
您需要在策略中指定角色可以执行的实际操作,无论是在线还是在随后附加到角色的托管策略中.
You need to specify the actual actions the role can do in a policy, either in line or in a managed policy that is then attached to the role.
这篇关于Terraform AWS 角色策略在添加权限时失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!