如何在terraform中定义“承担角色”策略?
这是我在terraform中的aws_iam_角色定义如何在terraform中定义“承担角色”策略?,terraform,terraform-provider-aws,Terraform,Terraform Provider Aws,这是我在terraform中的aws_iam_角色定义 resource "aws_iam_role" "server_role" { name = "server-role" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeEnvironment", "sqs:ChangeM
resource "aws_iam_role" "server_role" {
name = "server-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeEnvironment",
"sqs:ChangeMessageVisibility",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"s3:GetObject*",
"s3:ListBucket*",
"s3:PutBucket*",
"s3:PutObject*"
],
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
但我在尝试运行terraform plan时遇到了这个错误:
错误:应用计划时出错:
1发生错误:
aws_iam_角色。服务器_角色:1发生错误:
aws_iam_role.server_角色:创建iam角色时出错服务器角色:格式错误的策略文档:假设角色策略可能
仅指定STS AssumeRole操作。状态代码:400,请求id:
55f1bfaf-a121-11e9-acaf-BB57D63577B
我基本上希望允许服务器读/写S3存储桶和读/写SQS队列
显然,我不能将所有这些SQ:*和s3:*添加到同一个位置。我怎样才能在terraform中做到这一点?您对IAM策略和IAM承担角色策略感到困惑。 试试下面的方法。它将为EC2创建IAM配置文件,您可以将其附加到EC2实例
resource "aws_iam_role" "server_role" {
name = "server-role"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_policy" "server_policy" {
name = "server_policy"
path = "/"
description = "TBD"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:ChangeMessageVisibility",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"s3:GetObject*",
"s3:ListBucket*",
"s3:PutBucket*",
"s3:PutObject*"
],
"Resource": [
"*"
]
,
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "server_policy" {
role = "${aws_iam_role.server_role.name}"
policy_arn = "${aws_iam_policy.server_policy.arn}"
}
resource "aws_iam_instance_profile" "server" {
name = "server_profile"
role = "${aws_iam_role.server_role.name}"
}
非常感谢你的回答。我想我在这方面的知识还有很多差距。e、 g.这是我第一次了解aws_iam_实例_配置文件