无法使用 terraform 创建 Amazon S3 访问策略
Cannot create Amazon S3 access policy with terraform
我正在尝试创建以下策略,以便为我的任务定义 (ECS) 之一授予对 Amazon S3 的完全访问权限。这是我正在使用的地形代码:
data "aws_iam_policy_document" "inline_policy_s3" {
version = "2012-10-17"
statement {
sid = ""
actions = ["sts:AssumeRole", "s3:*"]
effect = "Allow"
resources = ["*"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
resource "aws_iam_role" "task_role" {
name = "ecs_service_task_role"
assume_role_policy = data.aws_iam_policy_document.inline_policy_s3.json
}
问题是当我 运行 terraform apply:
╷
│ Error: Error creating IAM Role ecs_service_task_role: MalformedPolicyDocument: Has prohibited field Resource
│ status code: 400, request id: 25afe8f8-cc66-4533-8f66-9a1f2aeb656b
│
│ with module.service.aws_iam_role.task_role,
│ on service/task_role_policy.tf line 16, in resource "aws_iam_role" "task_role":
│ 16: resource "aws_iam_role" "task_role" {
│
╵
我试过更改策略的一些属性,但找不到问题所在。知道发生了什么吗?
推力政策没有 resources并且不能除了sts:AssumeRole之外的任何其他权限.所以应该是:
data "aws_iam_policy_document" "inline_policy_s3" {
version = "2012-10-17"
statement {
sid = ""
actions = ["sts:AssumeRole"]
effect = "Allow"
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
对于您的s3权限,您需要通过例如inline_policy.
来创建它们
我正在尝试创建以下策略,以便为我的任务定义 (ECS) 之一授予对 Amazon S3 的完全访问权限。这是我正在使用的地形代码:
data "aws_iam_policy_document" "inline_policy_s3" {
version = "2012-10-17"
statement {
sid = ""
actions = ["sts:AssumeRole", "s3:*"]
effect = "Allow"
resources = ["*"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
resource "aws_iam_role" "task_role" {
name = "ecs_service_task_role"
assume_role_policy = data.aws_iam_policy_document.inline_policy_s3.json
}
问题是当我 运行 terraform apply:
╷
│ Error: Error creating IAM Role ecs_service_task_role: MalformedPolicyDocument: Has prohibited field Resource
│ status code: 400, request id: 25afe8f8-cc66-4533-8f66-9a1f2aeb656b
│
│ with module.service.aws_iam_role.task_role,
│ on service/task_role_policy.tf line 16, in resource "aws_iam_role" "task_role":
│ 16: resource "aws_iam_role" "task_role" {
│
╵
我试过更改策略的一些属性,但找不到问题所在。知道发生了什么吗?
推力政策没有 resources并且不能除了sts:AssumeRole之外的任何其他权限.所以应该是:
data "aws_iam_policy_document" "inline_policy_s3" {
version = "2012-10-17"
statement {
sid = ""
actions = ["sts:AssumeRole"]
effect = "Allow"
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
对于您的s3权限,您需要通过例如inline_policy.
来创建它们