Question

运行Terraform Error: Error creating IAM Role s3_access: MalformedPolicyDocument: Has prohibited field Resource status code: 400,时出现此错误，我在IAM角色中缺少什么？我正在使用此角色从s3获取特定文件。我想授予此角色有限的权限，例如仅获取某些存储分区内容

resource "aws_instance" "web" {
  count                       = var.ec2_count
  ami                         = var.ami_id
  instance_type               = var.instance_type
  subnet_id                   = var.subnet_id
  key_name                    = var.key_name
  source_dest_check           = false
  associate_public_ip_address = true
  #user_data                   = "${file("userdata.sh")}"1
  security_groups = [aws_security_group.ec2_sg.id]
  user_data       = "${file("${path.module}/template/userdata.sh")}"
  tags = {
    Name = "Webserver"
  }
}
resource "aws_iam_role" "s3_access" {
  name = "s3_access"

  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
              "Service": "ec2.amazonaws.com"
              },
            "Action": [
                "s3:ListBucket",
                "s3:GetObjectVersion",
                "s3:GetObject",
                "s3:GetBucketVersioning",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::webserver/*",
                "arn:aws:s3:::webserver"
            ]
        }
    ]
}
EOF

  tags = {
    tag-key = "tag-value"
  }
}
resource "aws_security_group" "ec2_sg" {
  name        = "ec2-sg"
  description = "Allow TLS inbound traffic"
  vpc_id      = var.vpc_id

  ingress {
    description = "incoming for ec2-instance"
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "ec2-sg"
  }
}

任何类型的帮助将不胜感激。我曾尝试自己做过，但被困住了。

Answer 1

resource "aws_iam_role" "s3_access" {
  name = "s3_access"

  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
              "Service": "ec2.amazonaws.com"
              },
            "Action": "sts:AssumeRole"            
        }
    ]
}
EOF

  tags = {
    tag-key = "tag-value"
  }
}



resource "aws_iam_role_policy" "s3_access_policy" {

  name = "s3_access_policy"
  
  role = "${aws_iam_role.s3_access.id}"

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "2",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObjectVersion",
                "s3:GetObject",
                "s3:GetBucketVersioning",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::webserver/*",
                "arn:aws:s3:::webserver"
            ]
        }
    ]
}
EOF

}

错误：创建IAM角色s3_access时出错：MalformedPolicyDocument

1 个答案: