添加权限时 Terraform AWS 角色策略失败
Terraform AWS role policy fails when adding permissions
我需要使用 Terraform 为 AWS 创建一些角色策略,基本角色工作正常,但是当我添加 S3 和日志时,我收到格式错误:
aws_iam_role.lambda_exec_role_s3: Error creating IAM Role lambda_exec_role_s3: MalformedPolicyDocument: Has prohibited field Resource
status code: 400
这是失败的角色策略:
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
}
EOF
这里是工作角色策略:
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
您不能在代入角色策略中添加实际操作。
代入角色策略用于限制代入角色的方式(通过 users/EC2 实例或 ECS tasks/AWS services/cross 账户角色等)。
您需要指定该角色可以在策略中执行的实际操作,可以是在线的,也可以是在随后附加到该角色的托管策略中。
我需要使用 Terraform 为 AWS 创建一些角色策略,基本角色工作正常,但是当我添加 S3 和日志时,我收到格式错误:
aws_iam_role.lambda_exec_role_s3: Error creating IAM Role lambda_exec_role_s3: MalformedPolicyDocument: Has prohibited field Resource status code: 400
这是失败的角色策略:
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
}
EOF
这里是工作角色策略:
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
您不能在代入角色策略中添加实际操作。
代入角色策略用于限制代入角色的方式(通过 users/EC2 实例或 ECS tasks/AWS services/cross 账户角色等)。
您需要指定该角色可以在策略中执行的实际操作,可以是在线的,也可以是在随后附加到该角色的托管策略中。