我希望创建一个能够使用以下语法访问 s3 服务的 IAM 角色:
resource "aws_iam_role" "ec2_s3_fullAccess" {
name = "prod_ec2_s3_fullAccess"
path = "/"
assume_role_policy = data.aws_iam_policy_document.s3_access.json
}
resource "aws_iam_role_policy_attachment" "test-attach" {
role = aws_iam_role.ec2_s3_fullAccess.name
policy_arn = data.aws_iam_policy.s3_access.arn
}
resource "aws_iam_role_policy_attachment" "ec2-read-only-policy-attachment" {
role = "${aws_iam_role.ec2_iam_role.name}"
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
}
data "aws_iam_policy_document" "s3_access" {
statement {
sid = "SidToOverride"
actions = ["s3:*"]
resources = ["*"]
}
}
data "aws_iam_policy" "s3_access" {
arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}
但是,我收到以下错误消息:
创建 IAM 角色 prod_ec2_s3_fullAccess 时出错:MalformedPolicyDocument:已禁止字段资源 │ 状态码:400,请求id:dddb80c9-77a1-4ac3-b54a-4fab751f11db │ │ 与 module.usersgroups.aws_iam_role.ec2_s3_fullAccess, │ 在 ..\modules\iam\resources.tf 第 88 行,在资源“aws_iam_role”“ec2_s3_fullAccess”中: │ 88:资源“aws_iam_role”“ec2_s3_fullAccess”{
答案 0 :(得分:1)
您的 assume_role_policy 应该说明谁/什么可以担任该角色,而不是在担任该角色后的实际权限是什么。此类政策没有 resources。所以应该是:
data "aws_iam_policy_document" "s3_access" {
version = "2012-10-17"
statement {
sid = ""
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
在您的情况下,我想您希望 ec2 实例能够承担该角色。