无法在AWS中国宁夏地区创建IAM角色

时间:2019-10-18 07:05:17

标签: amazon-web-services terraform

我正在尝试使用Terraform在AWS中国宁夏地区创建IAM角色。

这是我的文件夹结构

.
├── main.tf
└── variables.tf

这是main.tf

的内容 
provider "aws" {
  access_key = var.access_key
  secret_key = var.secret_key
  region  = var.region
}

resource "aws_iam_role" "role" {
  name               = "TestRole"
  assume_role_policy = data.aws_iam_policy_document.policy_doc.json
}

data "aws_iam_policy_document" "policy_doc" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["ec2.amazonaws.com"]
    }
  }
}

这是variables.tf文件:

variable "access_key" {}
variable "secret_key" {}
variable "region" {}

运行以下命令后

terraform apply \
  -var 'access_key=<my_access_key>' \
  -var 'secret_key=<my_secret_key>' \
  -var 'region=cn-northwest-1'

我说Error: Error creating IAM Role TestRole: MalformedPolicyDocument: Invalid principal in policy: "SERVICE":"ec2.amazonaws.com"时出错。

此Terraform脚本在AWS的其他区域(东京,新加坡,...)可以正常工作。看来AWS中国与其他地区有点不同。

这是我在键入yes进行terraform之前的消息:

Terraform will perform the following actions:

  # aws_iam_role.role will be created
  + resource "aws_iam_role" "role" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "ec2.amazonaws.com"
                        }
                      + Sid       = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + max_session_duration  = 3600
      + name                  = "TestRole"
      + path                  = "/"
      + unique_id             = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

有人知道如何在AWS中国中创建一个具有Terraform的IAM角色吗?

2 个答案:

答案 0 :(得分:0)

中国与您所说的不同。

ec2.amazonaws.com在中国不适用,相反,您必须使用ec2.cn-northwest-1.amazonaws.com.cn

这是所有端点https://docs.amazonaws.cn/en_us/aws/latest/userguide/endpoints-Ningxia.html

的列表

另外推荐阅读有关IAM在中国的信息:https://docs.amazonaws.cn/en_us/aws/latest/userguide/iam.html#general-info

答案 1 :(得分:0)

我使用aws iam get-account-authorization-details查看我的AWS中国账户中的当前IAM角色,这些角色是使用AWS控制台创建的。

然后我发现包含"Service": "ec2.amazonaws.com.cn"的行。

因此,使用ec2.amazonaws.com.cn替换ec2.amazonaws.com毫无问题。

相关问题
最新问题