为什么不能在 aws iam 上为 datadog 创建主体?
Why can't create principal on aws iam for datadog?
来自datadog指南,想集成aws:
https://docs.datadoghq.com/integrations/amazon_web_services/
创建了一个名为 DatadogAWSIntegrationPolicy 的新策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucketByTags",
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:GetInventoryConfiguration",
"s3:GetObjectVersionTagging",
"s3:ListBucketVersions",
"s3:GetBucketLogging",
"ec2:GetHostReservationPurchasePreview",
"ec2:DescribeVolumesModifications",
"s3:GetAccelerateConfiguration",
"ec2:GetConsoleScreenshot",
"s3:GetBucketPolicy",
"ec2:GetConsoleOutput",
"s3:GetObjectVersionTorrent",
"s3:GetObjectAcl",
"s3:GetEncryptionConfiguration",
"ec2:GetLaunchTemplateData",
"s3:GetBucketRequestPayment",
"ec2:DescribeScheduledInstanceAvailability",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:GetIpConfiguration",
"s3:ListBucketMultipartUploads",
"s3:GetBucketWebsite",
"ec2:DescribeTags",
"ec2:DescribeVpnConnections",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetBucketNotification",
"ec2:GetReservedInstancesExchangeQuote",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:GetObject",
"ec2:GetPasswordData",
"s3:GetObjectTorrent",
"ec2:DescribeScheduledInstances",
"s3:GetBucketCORS",
"s3:GetAnalyticsConfiguration",
"ec2:DescribeElasticGpus",
"s3:GetObjectVersionForReplication",
"s3:GetBucketLocation",
"s3:GetObjectVersion"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::464622532012:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
}
}
]
}
然而,当点击Review policy按钮时,它说:
This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies
语法遵循 datadog 服务:
您似乎创建了一些 策略,但不是所需类型的策略。当你为 Datadog 创建角色时,你必须选择一个非常具体的角色类型:
Select Another AWS account for the Role Type.
然后为该角色创建策略。另外,别忘了
Check off Require external ID
只要您按照指南一步步进行,应该不会有任何问题:https://docs.datadoghq.com/integrations/amazon_web_services/
我遇到了这个问题,当我尝试将角色代入角色用作 assume_role_policy 上的代入角色并尝试附加它时。
一旦我删除了我使用角色假设策略文档和角色策略附件创建的 aws_iam_policy,它就起作用了。
希望对您有所帮助。
来自datadog指南,想集成aws:
https://docs.datadoghq.com/integrations/amazon_web_services/
创建了一个名为 DatadogAWSIntegrationPolicy 的新策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucketByTags",
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:GetInventoryConfiguration",
"s3:GetObjectVersionTagging",
"s3:ListBucketVersions",
"s3:GetBucketLogging",
"ec2:GetHostReservationPurchasePreview",
"ec2:DescribeVolumesModifications",
"s3:GetAccelerateConfiguration",
"ec2:GetConsoleScreenshot",
"s3:GetBucketPolicy",
"ec2:GetConsoleOutput",
"s3:GetObjectVersionTorrent",
"s3:GetObjectAcl",
"s3:GetEncryptionConfiguration",
"ec2:GetLaunchTemplateData",
"s3:GetBucketRequestPayment",
"ec2:DescribeScheduledInstanceAvailability",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:GetIpConfiguration",
"s3:ListBucketMultipartUploads",
"s3:GetBucketWebsite",
"ec2:DescribeTags",
"ec2:DescribeVpnConnections",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetBucketNotification",
"ec2:GetReservedInstancesExchangeQuote",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:GetObject",
"ec2:GetPasswordData",
"s3:GetObjectTorrent",
"ec2:DescribeScheduledInstances",
"s3:GetBucketCORS",
"s3:GetAnalyticsConfiguration",
"ec2:DescribeElasticGpus",
"s3:GetObjectVersionForReplication",
"s3:GetBucketLocation",
"s3:GetObjectVersion"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::464622532012:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
}
}
]
}
然而,当点击Review policy按钮时,它说:
This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies
语法遵循 datadog 服务:
您似乎创建了一些 策略,但不是所需类型的策略。当你为 Datadog 创建角色时,你必须选择一个非常具体的角色类型:
Select Another AWS account for the Role Type.
然后为该角色创建策略。另外,别忘了
Check off Require external ID
只要您按照指南一步步进行,应该不会有任何问题:https://docs.datadoghq.com/integrations/amazon_web_services/
我遇到了这个问题,当我尝试将角色代入角色用作 assume_role_policy 上的代入角色并尝试附加它时。
一旦我删除了我使用角色假设策略文档和角色策略附件创建的 aws_iam_policy,它就起作用了。
希望对您有所帮助。