Terraform 创建aws_api_gateway_帐户资源将返回AccessDeniedException
在我的terraform脚本中,我有以下资源-Terraform 创建aws_api_gateway_帐户资源将返回AccessDeniedException,terraform,aws-api-gateway,terraform-provider-aws,Terraform,Aws Api Gateway,Terraform Provider Aws,在我的terraform脚本中,我有以下资源- resource "aws_api_gateway_account" "demo" { cloudwatch_role_arn = var.apigw_cloudwatch_role_arn } 在应用阶段,我看到以下错误- 2020/09/21 20:20:48 [ERROR] <root>: eval: *terraform.EvalApplyPost, err: Updating AP
resource "aws_api_gateway_account" "demo" {
cloudwatch_role_arn = var.apigw_cloudwatch_role_arn
}
2020/09/21 20:20:48 [ERROR] <root>: eval: *terraform.EvalApplyPost, err: Updating API Gateway Account failed: AccessDeniedException:
status code: 403, request id: abb0662e-ead2-4d95-b987-7d889088a5ef
2020/09/21 20:20:48[错误]:eval:*terraform.EvalApplyPost,错误:更新API网关帐户失败:AccessDeniedException:
状态代码:403,请求id:abb0662e-ead2-4d95-b987-7d889088a5ef
是否需要将特定权限附加到角色以消除此错误?我尚未测试,但我相信角色需要如下所示。请参阅源代码中的更多上下文:“启用CloudWatch日志”部分 对于常见的应用程序场景,IAM角色可以附加 AmazonAPIGatewayPushToCloudWatchLogs的托管策略,其中包含 以下访问策略声明: { “版本”:“2012-10-17”, “声明”:[ { “效果”:“允许”, “行动”:[ “日志:CreateLogGroup”, “日志:CreateLogStream”, “日志:描述以下组”, “日志:描述以下流”, “日志:PutLogEvents”, “日志:GetLogEvents”, “日志:FilterLogEvents” ], “资源”:“*” } ]} IAM角色还必须包含以下信任关系 声明: {“版本”:“2012-10-17”,“声明”:[ { “Sid”:“, “效果”:“允许”, “委托人”:{ “服务”:“apigateway.amazonaws.com” }, “操作”:“sts:假定角色” }]}