aws autscaling api 通过 terraform 的访问策略
aws autscaling api access policy via terraform
使用由服务器控制的 aws 自动缩放组,预测即将到来的负载并根据需要缩放 up/down。服务器需要具有最少所需权限的自动缩放 api 权限。
我的问题是限制服务器仅使用在资源字段上定义的特定自动缩放组。到目前为止,我发现的所有策略示例都只在资源字段中使用“*”,如果我没记错的话,这应该意味着它可以访问所有自动缩放组。
data "aws_iam_policy_document" "default" {
statement {
sid = "S3PolicyStmtNodeAutoscalingApiCalls"
effect = "Allow"
actions = [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
]
resources = [ var.autoscaling_group_arn ]
}
}
通过 terraform 实施,这转化为以下 json 政策(自动缩放组 arn 混淆):
resource "aws_iam_policy" "aws_api_access" {
arn = "arn:aws:iam::123456789123:policy/aws-api-access"
id = "arn:aws:iam::123456789123:policy/aws-api-access"
name = "aws-api-access"
path = "/"
policy = jsonencode({
Statement = [
{
Action = [
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:SetDesiredCapacity",
"autoscaling:DescribeAutoScalingGroups",
]
Effect = "Allow"
Resource = "arn:aws:autoscaling:region:acountid:autoScalingGroup:id:autoScalingGroupName/name"
Sid = "S3PolicyStmtAutoscalingApiCalls"
}
]
Version = "2012-10-17"
})
}
错误是 AccessDenied:用户:arn:aws:sts::id:assumed-role/role_name/i-instance-id 无权执行:autoscaling:DescribeAutoScalingGroups
到目前为止,我只使用资源属性中的通配符将它 运行,感谢任何提示。
解决方案在评论中,将 autoscaling:DescribeAutoScalingGroups 与其余部分分开解决了无法在资源字段中指定自动缩放组的问题。
data "aws_iam_policy_document" "default" {
statement {
sid = "S3PolicyStmtNodeAutoscalingApiCalls"
effect = "Allow"
actions = [
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
]
resources = [ var.autoscaling_group_arn ]
}
statement {
sid = "S3PolicyStmtNodeAutoscalingDescribe"
effect = "Allow"
actions = [
"autoscaling:DescribeAutoScalingGroups"
]
resources = [ "*" ]
}
}
使用由服务器控制的 aws 自动缩放组,预测即将到来的负载并根据需要缩放 up/down。服务器需要具有最少所需权限的自动缩放 api 权限。
我的问题是限制服务器仅使用在资源字段上定义的特定自动缩放组。到目前为止,我发现的所有策略示例都只在资源字段中使用“*”,如果我没记错的话,这应该意味着它可以访问所有自动缩放组。
data "aws_iam_policy_document" "default" {
statement {
sid = "S3PolicyStmtNodeAutoscalingApiCalls"
effect = "Allow"
actions = [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
]
resources = [ var.autoscaling_group_arn ]
}
}
通过 terraform 实施,这转化为以下 json 政策(自动缩放组 arn 混淆):
resource "aws_iam_policy" "aws_api_access" {
arn = "arn:aws:iam::123456789123:policy/aws-api-access"
id = "arn:aws:iam::123456789123:policy/aws-api-access"
name = "aws-api-access"
path = "/"
policy = jsonencode({
Statement = [
{
Action = [
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:SetDesiredCapacity",
"autoscaling:DescribeAutoScalingGroups",
]
Effect = "Allow"
Resource = "arn:aws:autoscaling:region:acountid:autoScalingGroup:id:autoScalingGroupName/name"
Sid = "S3PolicyStmtAutoscalingApiCalls"
}
]
Version = "2012-10-17"
})
}
错误是 AccessDenied:用户:arn:aws:sts::id:assumed-role/role_name/i-instance-id 无权执行:autoscaling:DescribeAutoScalingGroups
到目前为止,我只使用资源属性中的通配符将它 运行,感谢任何提示。
解决方案在评论中,将 autoscaling:DescribeAutoScalingGroups 与其余部分分开解决了无法在资源字段中指定自动缩放组的问题。
data "aws_iam_policy_document" "default" {
statement {
sid = "S3PolicyStmtNodeAutoscalingApiCalls"
effect = "Allow"
actions = [
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
]
resources = [ var.autoscaling_group_arn ]
}
statement {
sid = "S3PolicyStmtNodeAutoscalingDescribe"
effect = "Allow"
actions = [
"autoscaling:DescribeAutoScalingGroups"
]
resources = [ "*" ]
}
}