Amazon web services 无法在AWS中国宁夏地区创建IAM角色
我正在尝试使用terraform在AWS中国宁夏地区创建IAM角色 这是我的文件夹结构Amazon web services 无法在AWS中国宁夏地区创建IAM角色,amazon-web-services,terraform,Amazon Web Services,Terraform,我正在尝试使用terraform在AWS中国宁夏地区创建IAM角色 这是我的文件夹结构 . ├── main.tf └── variables.tf 下面是main.tf的内容 provider "aws" { access_key = var.access_key secret_key = var.secret_key region = var.region } resource "aws_iam_role" "role" { name = "
.
├── main.tf
└── variables.tf
下面是main.tf的内容
provider "aws" {
access_key = var.access_key
secret_key = var.secret_key
region = var.region
}
resource "aws_iam_role" "role" {
name = "TestRole"
assume_role_policy = data.aws_iam_policy_document.policy_doc.json
}
data "aws_iam_policy_document" "policy_doc" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
下面是variables.tf
文件:
variable "access_key" {}
variable "secret_key" {}
variable "region" {}
在运行以下命令之后
terraform apply \
-var 'access_key=<my_access_key>' \
-var 'secret_key=<my_secret_key>' \
-var 'region=cn-northwest-1'
在AWS中国,有人知道如何利用terraform创建像我这样的IAM角色吗 中国和你说的不一样
ec2.amazonaws.com
在中国不起作用,你必须使用类似于ec2.cn-western-1.amazonaws.com.cn
这里是所有端点的列表
另外,建议阅读有关IAM在中国的内容:我使用aws IAM get account authorization details
查看我的aws China帐户中的当前IAM角色,这些帐户是使用aws console创建的
然后我找到了包含“服务”的行:“ec2.amazonaws.com.cn”
因此,使用
ec2.amazonaws.com.cn
替换ec2.amazonaws.com
没有任何问题。使用ec2.cn-northwest-1.amazonaws.com.cn
代替ec2.amazonaws.com
也不起作用。错误消息是策略中的无效主体:“服务”:“ec2.cn-northwest-1.amazonaws.com.cn”
@Brian您可以检查是否可以使用AWS控制台直接创建此策略吗?(我没有AWS中国帐户…)。如果你能创建它,我们可以将其缩小到Terraform中,因为根据文档,ec2.cn-western-1.amazonaws.com.cn
是该操作的有效且正确的主体。我可以通过AWS中国的AWS控制台使用该内联策略创建IAM角色。
Terraform will perform the following actions:
# aws_iam_role.role will be created
+ resource "aws_iam_role" "role" {
+ arn = (known after apply)
+ assume_role_policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ Service = "ec2.amazonaws.com"
}
+ Sid = ""
},
]
+ Version = "2012-10-17"
}
)
+ create_date = (known after apply)
+ force_detach_policies = false
+ id = (known after apply)
+ max_session_duration = 3600
+ name = "TestRole"
+ path = "/"
+ unique_id = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.