创建IAM的Terraform AWS错误角色ecs_task_execution_role:MalformedPolicyDocument:禁止使用字段资源

时间:2020-07-25 08:23:55

标签: amazon-web-services terraform terraform-provider-aws

我使用terraform部署带有Fargate的容器。

我遇到一个错误:

error: Error creating IAM Role ecs_task_execution_role: MalformedPolicyDocument: Has prohibited field Resource
        status code: 400, request id: 351d657b-32ef-4ffa-a1e8-bee912e5c788

  on ecs.tf line 74, in resource "aws_iam_role" "ecs_execution_role":
  74: resource "aws_iam_role" "ecs_execution_role" {

我的Terraform设置:

resource "aws_ecs_task_definition" "nginx" {
  family = "nginx-${var.app}"

  network_mode             = "awsvpc"
  requires_compatibilities = ["FARGATE"]

  cpu    = "256"
  memory = "512"

  execution_role_arn = "${aws_iam_role.ecs_execution_role.arn}"
  task_role_arn      = "${aws_iam_role.ecs_execution_role.arn}"

  container_definitions = <<DEFINITION
  [
 ...
}

resource "aws_iam_role" "ecs_execution_role" {
  name = "ecs_task_execution_role"
 
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
        "Effect": "Allow",
        "Principal": {
         "Service": "ecs-tasks.amazonaws.com"
        },
        "Action": [
          "sts:AssumeRole",
          "ecs:CreateCluster",
          "ecs:DeregisterContainerInstance",
          "ecs:DiscoverPollEndpoint",
          "ecs:Poll",
          "ecs:RegisterContainerInstance",
          "ecs:StartTelemetrySession",
          "ecs:Submit*",
          "ecs:StartTask",
          "ecr:GetAuthorizationToken",
          "ecr:BatchCheckLayerAvailability",
          "ecr:GetDownloadUrlForLayer",
          "ecr:BatchGetImage",
          "logs:CreateLogStream",
          "logs:PutLogEvents"
        ],
        "Resource": "*"
    }    
  ]
}
EOF

}

我需要什么政策?当前政策有什么问题?

当我将策略中的action属性更改为"Action": "sts:AssumeRole"时,我在任务日志中收到此错误:

Status reason   CannotPullECRContainerError: AccessDeniedException: User: arn:aws:sts::993934193145:assumed-role/ecs_task_execution_role/0d2f817c-d7b5-4221-afb8-56baaee68b0e is not authorized to perform: ecr:GetAuthorizationToken on resource: * status code: 400, request

enter image description here

2 个答案:

答案 0 :(得分:3)

aws_iam_role中的

assume_role_policy仅用于信任关系,即哪个IAM实体可以承担该角色。

要添加到角色的实际权限可以放置在aws_iam_policy中,并使用aws_iam_role_policy_attachment附加到角色。

例如,您的代码可以重构为以下内容:

resource "aws_iam_role" "ecs_execution_role" {
  name = "ecs_task_execution_role"
 
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
        "Effect": "Allow",
        "Principal": {
         "Service": "ecs-tasks.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    }    
  ]
}
EOF
}

resource "aws_iam_policy" "ecs_permissions" {
  name        = "my_ecs_permissions"
  description = "Permissions to enable CT"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "ecs:CreateCluster",
        "ecs:DeregisterContainerInstance",
        "ecs:DiscoverPollEndpoint",
        "ecs:Poll",
        "ecs:RegisterContainerInstance",
        "ecs:StartTelemetrySession",
        "ecs:Submit*",
        "ecs:StartTask",
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "*"
    }    
  ]
}
EOF
}


resource "aws_iam_role_policy_attachment" "ecs_attachment" {
  role       = aws_iam_role.ecs_execution_role.name
  policy_arn = aws_iam_policy.ecs_permissions.arn
}

答案 1 :(得分:1)

这实际上是包含信任策略和权限的eureka.server.maxThreadsForPeerReplication=0

相反,您应该将所有非信任策略权限移至标准import UIKit class ViewController: UIViewController { @IBOutlet weak var imageView: UIImageView! override func viewDidLoad() { super.viewDidLoad() } @IBAction func renderImage(_ sender: Any) { imageView.createTransparentImage() } } extension UIImageView { func createTransparentImage () { let renderFormat = UIGraphicsImageRendererFormat.default () renderFormat.opaque = false self.isOpaque = false self.layer.isOpaque = true self.backgroundColor = UIColor.black self.layer.backgroundColor = UIColor.black.cgColor let renderer = UIGraphicsImageRenderer (size: bounds.size, format: renderFormat) self.image = renderer.image { (context) in layer.render (in: context.cgContext) } } }

此hypok_role_policy与标准IAM策略非常相似,但略有不同,并且不能使用aws_iam_policy资源。但是,它可以使用aws_iam_policy_document数据源,有关如何工作的信息,请参见下面的示例。

相关问题
最新问题