Amazon web services Terraform:承担角色的问题
几天来我一直在试图解开这个谜团,但毫无乐趣。基本上,地形无法承担角色,并且在以下方面失败:Amazon web services Terraform:承担角色的问题,amazon-web-services,amazon-s3,terraform,assume-role,Amazon Web Services,Amazon S3,Terraform,Assume Role,几天来我一直在试图解开这个谜团,但毫无乐趣。基本上,地形无法承担角色,并且在以下方面失败: Initializing the backend... 2019/10/28 09:13:09 [DEBUG] New state was assigned lineage "136dca1a-b46b-1e64-0ef2-efd6799b4ebc" 2019/10/28 09:13:09 [INFO] Setting AWS metadata API timeout to 100ms 2019/10/2
Initializing the backend...
2019/10/28 09:13:09 [DEBUG] New state was assigned lineage "136dca1a-b46b-1e64-0ef2-efd6799b4ebc"
2019/10/28 09:13:09 [INFO] Setting AWS metadata API timeout to 100ms
2019/10/28 09:13:09 [INFO] Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id
2019/10/28 09:13:09 [INFO] AWS Auth provider used: "SharedCredentialsProvider"
2019/10/28 09:13:09 [INFO] Attempting to AssumeRole arn:aws:iam::72xxxxxxxxxx:role/terraform-admin-np (SessionName: "terra_cnp", ExternalId: "", Policy: "")
Error: The role "arn:aws:iam::72xxxxxxxxxx:role/terraform-admin-np" cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
在AWS中:
我有角色:terraform admin np
,具有2个AWS管理策略:AmazonS3完全访问
和AdministratorAccess
以及与此的信任关系:
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::72xxxxxxxxxx:root"
},
"Action": "sts:AssumeRole"
}
]
}
然后我有一个用户,并附上了政策文档:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TfFullAccessSts",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:DecodeAuthorizationMessage",
"sts:AssumeRoleWithSAML",
"sts:AssumeRoleWithWebIdentity"
],
"Resource": "*"
},
{
"Sid": "TfFullAccessAll",
"Effect": "Allow",
"Action": "*",
"Resource": [
"*",
"arn:aws:ec2:region:account:network-interface/*"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TFStateListBucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::72xxxxxxxxxx:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::txxxxxxxxxxxxxxte"
},
{
"Sid": "TFStateGetPutObject",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::72xxxxxxxxxx:root"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::txxxxxxxxxxxxxxte/*"
}
]
}
和一个S3 bucket:txxxxxxxxxxte
,随附本保单文件:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TfFullAccessSts",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:DecodeAuthorizationMessage",
"sts:AssumeRoleWithSAML",
"sts:AssumeRoleWithWebIdentity"
],
"Resource": "*"
},
{
"Sid": "TfFullAccessAll",
"Effect": "Allow",
"Action": "*",
"Resource": [
"*",
"arn:aws:ec2:region:account:network-interface/*"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TFStateListBucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::72xxxxxxxxxx:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::txxxxxxxxxxxxxxte"
},
{
"Sid": "TFStateGetPutObject",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::72xxxxxxxxxx:root"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::txxxxxxxxxxxxxxte/*"
}
]
}
在地形中:
提供程序.tf中的代码段:
###---- Default Backend and Provider config values -----------###
terraform {
required_version = ">= 0.12"
backend "s3" {
encrypt = true
}
}
provider "aws" {
region = var.region
version = "~> 2.20"
profile = var.profile
assume_role {
role_arn = var.role_arn
session_name = var.session_name
}
}
来自tgw_cnp.tfvars
后端配置的代码段:
## S3 backend config
key = "backend/tgw_cnp_state"
bucket = "txxxxxxxxxxxxxxte"
region = "us-east-2"
profile = "local-tgw"
role_arn = "arn:aws:iam::72xxxxxxxxxx:role/terraform-admin-np"
session_name = "terra_cnp"
然后这样运行:
TF_LOG=debug terraform init -backend-config=tgw_cnp.tfvars
有了这一点,我可以使用AWS CLI担任该角色,而不会出现任何问题:
# aws --profile local-tgw sts assume-role --role-arn "arn:aws:iam::72xxxxxxxxxx:role/terraform-admin-np" --role-session-name AWSCLI
{
"Credentials": {
"AccessKeyId": "AXXXXXXXXXXXXXXXXXXA",
"SecretAccessKey": "UixxxxxxxxxxxxxxxxxxxxxxxxxxxxMt",
"SessionToken": "FQoGZXIvYXdzEJb//////////wEaD......./5LFwNWf6riiNw9vtBQ==",
"Expiration": "2019-10-28T13:39:41Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROA2P7ZON5TSWMOBQEBC:AWSCLI",
"Arn": "arn:aws:sts::72xxxxxxxxxx:assumed-role/terraform-admin-np/AWSCLI"
}
}
但terraform因上述错误而失败。知道我做错了什么吗?好的,回答我自己的问题。。。。。。。。
它现在起作用了。我犯了一个愚蠢的错误-tgw_cnp.tfvars中的区域
是错误的,而我一直没有注意到。在AWS CLI中,因为我不必指定区域(它是从概要文件中获取的),所以它可以正常工作,但在TF中,我指定了区域,并且值是错误的,因此失败了。错误报告中的建议有点误导
我可以确认上述配置工作正常。现在一切都好了 您是否可以共享用于担任角色的AWS CLI命令(删除敏感数据后)?sure thing@krishna_mee2004-我实际上已将输出添加到OP。使用CLI时,您似乎正在使用default tgw
profile。然而,在Terraform中,您提到了本地tgw
。您可以使用本地tgw配置文件尝试CLI,看看您是否可以担任该角色吗?这是我愚蠢的输入错误@krishna_mee2004-实际的配置文件名既不是local tgw
也不是defaut tgw
。在命名过程中有很多敏感因素,所以我只是试图掩盖它,并在命名过程中犯了错误。我可以保证TF和CLI中使用的配置文件完全相同。我修正了OP中的输入错误,以尽量减少混乱。你的设置应该是理想的,没有任何问题,它对我来说是有效的。需要检查的一件事是:您是否在~/.aws/credentials文件中定义了profilelocaltgw
的键?