Terraform 计划命令失败
Terraform plan command failing
我正在尝试使用不同的用户和自定义策略来执行我的 Terraform 计划命令,但我无法弄清楚 运行 此命令缺少什么策略操作。我不想让 ec2:*.
资源已经 运行ning,我们正试图将代码移至其他项目。
当我 运行 具有 ec2:* 权限的计划时,它工作正常。
错误:
Error refreshing state: 2 error(s) occurred:
* module.mesos.aws_instance.master: 3 error(s) occurred:
* module.mesos.aws_instance.master[2]: aws_instance.master.2: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: 484574e1-0dd0-4c43-b829-42c034763bad
* module.mesos.aws_instance.master[1]: aws_instance.master.1: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: e0499d28-d55c-46e8-af1a-91262427b422
* module.mesos.aws_instance.master[0]: aws_instance.master.0: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: f1fb50ac-7bb5-47d6-b1b4-b24b38a61fdd
* module.mesos.data.aws_ami.agent: 1 error(s) occurred:
* module.mesos.data.aws_ami.agent: data.aws_ami.agent: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: a7dcf75b-30d1-4c74-8c30-a002644db313
代码:
{
"Sid": "gitec2",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeVolumeStatus",
"ec2:StartInstances",
"ec2:DescribeVolumes",
"ec2:RunInstances",
"ec2:StopInstances",
"ec2:AssignPrivateIpAddresses",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeSubnets",
"ec2:AttachVolume",
"ec2:DescribeRegions",
"ec2:DescribeVpcAttribute",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceStatus",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ec2:DescribeNetworkAcls",
"ec2:DescribeRouteTables",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeAddresses",
"ec2:DescribeInstanceAttributes",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateSecurityGroup",
"ec2:TerminateInstances",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeTags",
"ec2:DescribeImageAttribute",
"ec2:DescribeSecurityGroupReferences",
"ec2:AssociateIamInstanceProfile",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkGateway",
"ec2:AssociateIamInstanceProfile",
"ec2:DeleteSecurityGroup"
],
"Resource": "*"
}
aws_instance resource 读取方法(刷新状态时调用)调用 DescribeInstances、DescribeInstanceAttribute、DescribeIamInstanceProfileAssociations 端点需要 ec2:DescribeInstances、ec2:DescribeInstanceAttribute 和 ec2:DescribeIamInstanceProfileAssociations 分别。
aws_ami data source 调用需要 ec2:DescribeImages IAM 操作的 DescribeImages 端点。
因此您缺少 ec2:DescribeInstanceAttribute(您的 ec2:DescribeInstanceAttributes 不是有效操作)和 ec2:DescribeImages.
可以通过查看源代码来发现 Terraform 进行的调用 (aws_instance and aws_ami) while the relevant IAM actions can be found in the AM docs for EC2.
如果有充分的理由不允许 ec2:Describe*,我会感到惊讶,因为这些只是只读操作,不应暴露任何敏感信息。
我正在尝试使用不同的用户和自定义策略来执行我的 Terraform 计划命令,但我无法弄清楚 运行 此命令缺少什么策略操作。我不想让 ec2:*.
资源已经 运行ning,我们正试图将代码移至其他项目。
当我 运行 具有 ec2:* 权限的计划时,它工作正常。
错误:
Error refreshing state: 2 error(s) occurred:
* module.mesos.aws_instance.master: 3 error(s) occurred:
* module.mesos.aws_instance.master[2]: aws_instance.master.2: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: 484574e1-0dd0-4c43-b829-42c034763bad
* module.mesos.aws_instance.master[1]: aws_instance.master.1: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: e0499d28-d55c-46e8-af1a-91262427b422
* module.mesos.aws_instance.master[0]: aws_instance.master.0: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: f1fb50ac-7bb5-47d6-b1b4-b24b38a61fdd
* module.mesos.data.aws_ami.agent: 1 error(s) occurred:
* module.mesos.data.aws_ami.agent: data.aws_ami.agent: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: a7dcf75b-30d1-4c74-8c30-a002644db313
代码:
{
"Sid": "gitec2",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeVolumeStatus",
"ec2:StartInstances",
"ec2:DescribeVolumes",
"ec2:RunInstances",
"ec2:StopInstances",
"ec2:AssignPrivateIpAddresses",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeSubnets",
"ec2:AttachVolume",
"ec2:DescribeRegions",
"ec2:DescribeVpcAttribute",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceStatus",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ec2:DescribeNetworkAcls",
"ec2:DescribeRouteTables",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeAddresses",
"ec2:DescribeInstanceAttributes",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateSecurityGroup",
"ec2:TerminateInstances",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeTags",
"ec2:DescribeImageAttribute",
"ec2:DescribeSecurityGroupReferences",
"ec2:AssociateIamInstanceProfile",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkGateway",
"ec2:AssociateIamInstanceProfile",
"ec2:DeleteSecurityGroup"
],
"Resource": "*"
}
aws_instance resource 读取方法(刷新状态时调用)调用 DescribeInstances、DescribeInstanceAttribute、DescribeIamInstanceProfileAssociations 端点需要 ec2:DescribeInstances、ec2:DescribeInstanceAttribute 和 ec2:DescribeIamInstanceProfileAssociations 分别。
aws_ami data source 调用需要 ec2:DescribeImages IAM 操作的 DescribeImages 端点。
因此您缺少 ec2:DescribeInstanceAttribute(您的 ec2:DescribeInstanceAttributes 不是有效操作)和 ec2:DescribeImages.
可以通过查看源代码来发现 Terraform 进行的调用 (aws_instance and aws_ami) while the relevant IAM actions can be found in the AM docs for EC2.
如果有充分的理由不允许 ec2:Describe*,我会感到惊讶,因为这些只是只读操作,不应暴露任何敏感信息。