Amazon dynamodb 如何将DynamoDB IAM角色添加到Terraform中的EKS工作节点?
我正在尝试从EKS中的工作节点写入DynamoDB。我目前正在附加一个IAM角色策略,该策略授予对DynamoDB的完全访问权。这是解决这个问题的正确方法吗?来自我的应用程序的请求当前挂起,我假设这与我的节点没有正确的权限有关 这是我在Terraform中的当前设置Amazon dynamodb 如何将DynamoDB IAM角色添加到Terraform中的EKS工作节点?,amazon-dynamodb,terraform,amazon-eks,Amazon Dynamodb,Terraform,Amazon Eks,我正在尝试从EKS中的工作节点写入DynamoDB。我目前正在附加一个IAM角色策略,该策略授予对DynamoDB的完全访问权。这是解决这个问题的正确方法吗?来自我的应用程序的请求当前挂起,我假设这与我的节点没有正确的权限有关 这是我在Terraform中的当前设置 resource "aws_iam_role" "worker-node" { name = "worker-node" assume_role_policy = <<POLICY { "Version":
resource "aws_iam_role" "worker-node" {
name = "worker-node"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}
resource "aws_iam_role_policy_attachment" "worker-node-AmazonEKSWorkerNodePolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
role = aws_iam_role.worker-node.name
}
resource "aws_iam_role_policy_attachment" "worker-node-AmazonEKS_CNI_Policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
role = aws_iam_role.worker-node.name
}
resource "aws_iam_role_policy_attachment" "worker-node-AmazonEC2ContainerRegistryReadOnly" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
role = aws_iam_role.worker-node.name
}
resource "aws_iam_role_policy_attachment" "worker-node-AmazonDynamoDBFullAccess" {
policy_arn = "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"
role = aws_iam_role.worker-node.name
}
resource "aws_eks_node_group" "node-private" {
cluster_name = aws_eks_cluster.cluster.name
node_group_name = "node-group-private"
node_role_arn = aws_iam_role.worker-node.arn
subnet_ids = [aws_subnet.private-1.id, aws_subnet.private-2.id]
instance_types = ["t2.micro"]
scaling_config {
desired_size = 3
max_size = 3
min_size = 1
}
depends_on = [
aws_iam_role_policy_attachment.worker-node-AmazonEKSWorkerNodePolicy,
aws_iam_role_policy_attachment.worker-node-AmazonEKS_CNI_Policy,
aws_iam_role_policy_attachment.worker-node-AmazonEC2ContainerRegistryReadOnly,
aws_iam_role_policy_attachment.worker-node-AmazonDynamoDBFullAccess,
]
}
资源“aws\u iam\u角色”“工作节点”{
name=“工作节点”
假设\u role\u policy=这使您的整个节点组都可以访问DynamoDB。您不想让POD拥有这样做的权限吗?这使您的整个节点组都可以访问DynamoDB。您不想让POD拥有这样做的权限吗?