这是我在Terraform中的aws_iam_role定义
resource "aws_iam_role" "server_role" {
name = "server-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeEnvironment",
"sqs:ChangeMessageVisibility",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"s3:GetObject*",
"s3:ListBucket*",
"s3:PutBucket*",
"s3:PutObject*"
],
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
但是当我尝试运行terraform plan时出现此错误:
错误:应用计划时出错:
发生1个错误:
aws_iam_role.server_role:发生1个错误:
aws_iam_role.server_role:创建IAM角色服务器角色时出错:MalformedPolicyDocument:AssumeRole策略可能 仅指定STS AssumeRole操作。状态码:400,请求ID: 55f1bfaf-a121-11e9-acaf-bb57d635757b
我基本上希望允许服务器读取/写入S3存储桶和读取/写入SQS队列。
显然,我不能将所有这些sqs:*和s3:*添加在同一位置。我该如何在terraform中做到这一点?
答案 0 :(得分:2)
您对IAM政策感到困惑,而IAM承担了角色政策。 尝试如下。它将为EC2创建IAM配置文件,您可以将其附加到EC2实例。
resource "aws_iam_role" "server_role" {
name = "server-role"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_policy" "server_policy" {
name = "server_policy"
path = "/"
description = "TBD"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:ChangeMessageVisibility",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"s3:GetObject*",
"s3:ListBucket*",
"s3:PutBucket*",
"s3:PutObject*"
],
"Resource": [
"*"
]
,
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "server_policy" {
role = "${aws_iam_role.server_role.name}"
policy_arn = "${aws_iam_policy.server_policy.arn}"
}
resource "aws_iam_instance_profile" "server" {
name = "server_profile"
role = "${aws_iam_role.server_role.name}"
}