Terraform计划命令失败

时间:2018-05-04 13:26:19

标签: amazon-web-services amazon-iam terraform terraform-provider-aws

我正在尝试使用其他用户和自定义策略来执行我的Terraform计划命令,但我无法弄清楚我缺少哪些策略操作来运行此命令。我不想允许ec2:*

资源已在运行,我们只是试图将代码移动到另一个项目。

当我使用ec2:*权限运行计划时,它正常运行。

错误:

Error refreshing state: 2 error(s) occurred:

    * module.mesos.aws_instance.master: 3 error(s) occurred:      
    * module.mesos.aws_instance.master[2]: aws_instance.master.2: UnauthorizedOperation: You are not authorized to perform this operation.
        status code: 403, request id: 484574e1-0dd0-4c43-b829-42c034763bad
    * module.mesos.aws_instance.master[1]: aws_instance.master.1: UnauthorizedOperation: You are not authorized to perform this operation.
        status code: 403, request id: e0499d28-d55c-46e8-af1a-91262427b422
    * module.mesos.aws_instance.master[0]: aws_instance.master.0: UnauthorizedOperation: You are not authorized to perform this operation.
        status code: 403, request id: f1fb50ac-7bb5-47d6-b1b4-b24b38a61fdd
    * module.mesos.data.aws_ami.agent: 1 error(s) occurred:    
    * module.mesos.data.aws_ami.agent: data.aws_ami.agent: UnauthorizedOperation: You are not authorized to perform this operation.
        status code: 403, request id: a7dcf75b-30d1-4c74-8c30-a002644db313

代码:

{
       "Sid": "gitec2",
       "Effect": "Allow",
       "Action": [
           "ec2:DescribeInstances",
           "ec2:DescribeVolumeStatus",
           "ec2:StartInstances",
           "ec2:DescribeVolumes",
           "ec2:RunInstances",
           "ec2:StopInstances",
           "ec2:AssignPrivateIpAddresses",
           "ec2:DescribeVolumeAttribute",
           "ec2:DescribeSubnets",
           "ec2:AttachVolume",
           "ec2:DescribeRegions",
           "ec2:DescribeVpcAttribute",
           "ec2:DescribeAvailabilityZones",
           "ec2:DescribeInstanceStatus",
           "ec2:DescribeSecurityGroups",
           "ec2:DescribeVpcs",
           "ec2:DescribeNetworkAcls",
           "ec2:DescribeRouteTables",
           "ec2:DescribeLaunchTemplates",
           "ec2:DescribeAddresses",
           "ec2:DescribeInstanceAttributes",
           "ec2:DescribeNetworkInterfaces",
           "ec2:CreateSecurityGroup",
           "ec2:TerminateInstances",
           "ec2:DescribeIamInstanceProfileAssociations",
           "ec2:DescribeTags",
           "ec2:DescribeImageAttribute",
           "ec2:DescribeSecurityGroupReferences",
           "ec2:AssociateIamInstanceProfile",
           "ec2:AttachInternetGateway",
           "ec2:AttachNetworkGateway",
           "ec2:AssociateIamInstanceProfile",
           "ec2:DeleteSecurityGroup"
          ],
       "Resource": "*"
 }

1 个答案:

答案 0 :(得分:2)

aws_instance resource读取方法(刷新状态时调用)调用需要DescribeInstances的{​​{1}},DescribeInstanceAttributeDescribeIamInstanceProfileAssociations个端点,{{1}分别和ec2:DescribeInstances

aws_ami data source调用需要ec2:DescribeInstanceAttribute IAM操作的ec2:DescribeIamInstanceProfileAssociations端点。

因此,您错过了DescribeImages(您有ec2:DescribeImages这不是有效的操作)和ec2:DescribeInstanceAttribute

通过查看源代码(aws_instanceaws_ami)可以发现Terraform进行的调用,同时可以在AM docs for EC2中找到相关的IAM操作。

如果有充分理由不允许ec2:DescribeInstanceAttributes,我会感到惊讶,因为这些只是只读操作而且不应该暴露任何敏感信息。

相关问题
最新问题