我正在为Grafana EC2实例创建一个角色,以使其能够从CloudWatch读取指标。我已经遇到了这个问题:https://github.com/grafana/grafana/issues/19173,看来我需要将这些行添加到Trust关系中以解决此问题。
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::[id-removed]:role/grafana",
"arn:aws:sts::[id-removed]:assumed-role/grafana/GrafanaSession"
]
},
"Action": "sts:AssumeRole"
}
所以我想知道如何使用Terraform。目前,我正在使用此版本的terraform脚本:
provider "aws" {
region = "eu-west-1"
version = "~> 2.0"
}
variable "aws_account_id" {
type = string
default = "account_id"
}
data "aws_iam_policy_document" "assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = [
"arn:aws:iam::${var.aws_account_id}:role/grafana",
"arn:aws:sts::${var.aws_account_id}:assumed-role/grafana/GrafanaSession"
]
}
}
}
resource "aws_iam_role" "grafana" {
name = "grafana"
assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
}
失败并显示MalformedPolicyDocument: Invalid principal in policy: "AWS":"arn:aws:iam::[id-removed]:role/grafana"
要使其工作,我必须注释aws_iam_policy_document的第二个语句块,运行terraform apply,然后取消注释并再次运行terraform apply,这不是一种很方便的工作方式,因为我们运行了GitLab提供的terraform脚本,因此这意味着我们必须在没有假定角色的情况下进行提交,标记,部署,以假定角色进行提交,再次标记并部署:explode