MalformedPolicyDocument:策略文档不应指定主体
MalformedPolicyDocument: Policy document should not specify a principal
我正在尝试使用 terraform 创建状态函数。首先,我创建一个策略并将其分配给现有角色 processing_lambda_role。
resource "aws_iam_role_policy" "sfn_policy" {
policy = jsonencode(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync"
],
"Resource": "*"
}
]
}
)
role = aws_iam_role.processing_lambda_role.id
}
resource "aws_sfn_state_machine" "sfn_state_machine" {
name = local.step_function_name
role_arn = aws_iam_role.processing_lambda_role.arn
definition = <<EOF
{
"Comment": "Get Incoming Files",
"StartAt": "GetIncomingFiles",
"States": {
"GetIncomingFiles": {
"Type": "Task",
"Resource": "${aws_lambda_function.get_incoming_lambda.arn}",
"ResultPath": "$.Output",
"End": true
}
}
}
EOF
}
我收到这个错误:
Error: Error putting IAM role policy terraform-20211117095209110000000005: MalformedPolicyDocument: Policy document should not specify a principal.
│ status code: 400, request id: 1dd8ac18-a514-4ef3-93ae-91383e5baa07
│
│ with module.ingest_system["ems"].aws_iam_role_policy.sfn_policy,
│ on ../../modules/ingest_system/step_function.tf line 1, in resource "aws_iam_role_policy" "sfn_policy":
│ 1: resource "aws_iam_role_policy" "sfn_policy" {
角色最初是这样定义的:
resource "aws_iam_role" "processing_lambda_role" {
name = local.processing_lambda_role_name
path = "/service-role/"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = { Service = "lambda.amazonaws.com" }
Action = "sts:AssumeRole"
}
]
})
}
sts:AssumeRole 应该在角色的 assume_role_policy 中。例如,如果您想为您的 sfn 创建 sfn_role,则:
resource "aws_iam_role" "sfn_role" {
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = { Service = "states.amazonaws.com" }
Action = "sts:AssumeRole"
}
]
})
}
resource "aws_iam_role_policy" "sfn_policy" {
policy = jsonencode(
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync"
],
"Resource": "*"
}
]
}
)
role = aws_iam_role.sfn_role.id
}
resource "aws_sfn_state_machine" "sfn_state_machine" {
name = local.step_function_name
role_arn = aws_iam_role.sfn_role.arn
# ....
}
我正在尝试使用 terraform 创建状态函数。首先,我创建一个策略并将其分配给现有角色 processing_lambda_role。
resource "aws_iam_role_policy" "sfn_policy" {
policy = jsonencode(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync"
],
"Resource": "*"
}
]
}
)
role = aws_iam_role.processing_lambda_role.id
}
resource "aws_sfn_state_machine" "sfn_state_machine" {
name = local.step_function_name
role_arn = aws_iam_role.processing_lambda_role.arn
definition = <<EOF
{
"Comment": "Get Incoming Files",
"StartAt": "GetIncomingFiles",
"States": {
"GetIncomingFiles": {
"Type": "Task",
"Resource": "${aws_lambda_function.get_incoming_lambda.arn}",
"ResultPath": "$.Output",
"End": true
}
}
}
EOF
}
我收到这个错误:
Error: Error putting IAM role policy terraform-20211117095209110000000005: MalformedPolicyDocument: Policy document should not specify a principal.
│ status code: 400, request id: 1dd8ac18-a514-4ef3-93ae-91383e5baa07
│
│ with module.ingest_system["ems"].aws_iam_role_policy.sfn_policy,
│ on ../../modules/ingest_system/step_function.tf line 1, in resource "aws_iam_role_policy" "sfn_policy":
│ 1: resource "aws_iam_role_policy" "sfn_policy" {
角色最初是这样定义的:
resource "aws_iam_role" "processing_lambda_role" {
name = local.processing_lambda_role_name
path = "/service-role/"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = { Service = "lambda.amazonaws.com" }
Action = "sts:AssumeRole"
}
]
})
}
sts:AssumeRole 应该在角色的 assume_role_policy 中。例如,如果您想为您的 sfn 创建 sfn_role,则:
resource "aws_iam_role" "sfn_role" {
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = { Service = "states.amazonaws.com" }
Action = "sts:AssumeRole"
}
]
})
}
resource "aws_iam_role_policy" "sfn_policy" {
policy = jsonencode(
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync"
],
"Resource": "*"
}
]
}
)
role = aws_iam_role.sfn_role.id
}
resource "aws_sfn_state_machine" "sfn_state_machine" {
name = local.step_function_name
role_arn = aws_iam_role.sfn_role.arn
# ....
}