如何在terraform中定义“承担角色”策略?

如何在terraform中定义“承担角色”策略?,terraform,terraform-provider-aws,Terraform,Terraform Provider Aws,这是我在terraform中的aws_iam_角色定义 resource "aws_iam_role" "server_role" { name = "server-role" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeEnvironment", "sqs:ChangeM

这是我在terraform中的aws_iam_角色定义

resource "aws_iam_role" "server_role" {
  name = "server-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "sts:AssumeEnvironment",
        "sqs:ChangeMessageVisibility",
        "sqs:ReceiveMessage",
        "sqs:SendMessage",
        "s3:GetObject*",
        "s3:ListBucket*",
        "s3:PutBucket*",
        "s3:PutObject*"
      ],
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
但我在尝试运行terraform plan时遇到了这个错误:

错误:应用计划时出错:

1发生错误:

aws_iam_角色。服务器_角色:1发生错误:

aws_iam_role.server_角色:创建iam角色时出错服务器角色:格式错误的策略文档:假设角色策略可能 仅指定STS AssumeRole操作。状态代码:400,请求id: 55f1bfaf-a121-11e9-acaf-BB57D63577B

我基本上希望允许服务器读/写S3存储桶和读/写SQS队列


显然,我不能将所有这些SQ:*和s3:*添加到同一个位置。我怎样才能在terraform中做到这一点?

您对IAM策略和IAM承担角色策略感到困惑。 试试下面的方法。它将为EC2创建IAM配置文件,您可以将其附加到EC2实例

resource "aws_iam_role" "server_role" {
  name = "server-role"

  path = "/"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_policy" "server_policy" {
  name        = "server_policy"
  path        = "/"
  description = "TBD"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "sqs:ChangeMessageVisibility",
        "sqs:ReceiveMessage",
        "sqs:SendMessage",
        "s3:GetObject*",
        "s3:ListBucket*",
        "s3:PutBucket*",
        "s3:PutObject*"
      ],
      "Resource": [
          "*"
      ]
      ,
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "server_policy" {
  role       = "${aws_iam_role.server_role.name}"
  policy_arn = "${aws_iam_policy.server_policy.arn}"
}

resource "aws_iam_instance_profile" "server" {
  name = "server_profile"
  role = "${aws_iam_role.server_role.name}"
}

非常感谢你的回答。我想我在这方面的知识还有很多差距。e、 g.这是我第一次了解aws_iam_实例_配置文件