如何修复 MalformedPolicyDocument:使用 terraform 时生成的策略中的语法错误
How to fix MalformedPolicyDocument: syntax error in policy generated when use terraform
我正在创建 IAM 策略以强制用户在访问 AWS 之前首先使用 MFA 登录进行身份验证 resources.When 我 运行 terraform 应用,我收到 MalformedPolicyDocument:[=18 中的语法错误=] 帮助将 appreciated.thanks
{
"版本": "2012-10-17",
“陈述”: [
{
"Sid": "AllowViewAccountInfo",
"效果": "允许",
“行动”: [
"iam:GetAccountPasswordPolicy",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
你的 json 少了一个 {。如果您使用此 json 并尝试在控制台中制定策略,它将为您提供出现问题的确切位置。
就在 "Sid": "AllowManageOwnAccessKeys", 之前,您缺少 {.
更新:
以下是aws官方文档中关于使用变量的示例。
{
"Version": "2012-10-17",
"Statement": [{
"Action": ["iam:*AccessKey*"],
"Effect": "Allow",
"Resource": ["arn:aws:iam::account-id:user/${aws:username}"]
}]
}
您可以根据此更改您的政策。
我正在创建 IAM 策略以强制用户在访问 AWS 之前首先使用 MFA 登录进行身份验证 resources.When 我 运行 terraform 应用,我收到 MalformedPolicyDocument:[=18 中的语法错误=] 帮助将 appreciated.thanks
{ "版本": "2012-10-17", “陈述”: [ { "Sid": "AllowViewAccountInfo", "效果": "允许", “行动”: [ "iam:GetAccountPasswordPolicy",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
你的 json 少了一个 {。如果您使用此 json 并尝试在控制台中制定策略,它将为您提供出现问题的确切位置。
就在 "Sid": "AllowManageOwnAccessKeys", 之前,您缺少 {.
更新: 以下是aws官方文档中关于使用变量的示例。
{
"Version": "2012-10-17",
"Statement": [{
"Action": ["iam:*AccessKey*"],
"Effect": "Allow",
"Resource": ["arn:aws:iam::account-id:user/${aws:username}"]
}]
}
您可以根据此更改您的政策。