格式错误的策略文档:具有禁止的字段资源
Malformed Policy Document: Has prohibited field Resource
我正在尝试使用 Terraform 创建 IAM 角色和 IAM 策略。
我收到此错误:
│ Error: error creating IAM Role (asg-domain-join-policy): MalformedPolicyDocument: Has prohibited field Resource
status code: 400, request id: 53fa1ae0-f22f-4f2e-8aa6-1947421eae9b
with aws_iam_role.ad_join_role,
on iam.tf line 30, in resource "aws_iam_role" "ad_join_role":
30: resource "aws_iam_role" "ad_join_role" {
我当前的 IAM 角色代码如下:
resource "aws_iam_role" "ad_join_role" {
name = "asg-domain-join-policy"
assume_role_policy = data.aws_iam_policy_document.asg_domain_join_policy.json
permissions_boundary = "arn:aws:iam::${var.account_id}:policy/****"
}
IAM 策略的代码如下:
data "aws_iam_policy_document" "asg_domain_join_policy" {
statement {
actions = [
"ssm:DescribeAssociation",
"ssm:GetDocument",
"ssm:ListAssociations",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceInformation",
"ssm:CreateAssociation",
]
effect = "Allow"
resources = ["ec2"]
}
}
我不确定为什么会收到该错误。
您的资源块使用了错误的引用。 ec2 不是资源。如果您正在引用一个实例,您需要使用 aws_instance.my_ec2_instance,或者如果您想要允许所有资源,您可以放置“*”。
assume_role_policy 可以有一个只指定 AssumeRole 动作的文档。您需要做的是拆分您的策略以创建单独的策略,以便能够承担一个角色,并能够将其他权限附加到该角色。
例如:
# Allow EC2 instances to assume the role
data "aws_iam_policy_document" "asg_assume_role_policy" {
statement {
actions = [
"sts:AssumeRole"
]
effect = "Allow"
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
# Create the policy which allows other actions for the EC2 instance
data "aws_iam_policy_document" "asg_domain_join_policy" {
statement {
actions = [
"ssm:DescribeAssociation",
"ssm:GetDocument",
"ssm:ListAssociations",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceInformation",
"ssm:CreateAssociation"
]
effect = "Allow"
resources = ["*"]
}
}
resource "aws_iam_role" "ad_join_role" {
name = "asg-domain-join-policy"
assume_role_policy = data.aws_iam_policy_document.asg_assume_role_policy.json
# Attach the policy
inline_policy {
policy = data.aws_iam_policy_document.asg_domain_join_policy.json
}
}
本例中的一些注意事项:
- 第二个政策作为 inline policy. This is fine, if the policy is shorter, otherwise you may want to use
aws_iam_policy_attachment 附加
- 第二个策略中的操作资源类型是通配符
["*"]。如果您想更详细地了解您对政策的操作,您可能需要查看 this page 以查看哪个操作允许哪种类型的资源。显然,["ec2"] 不是有效的资源类型。
我正在尝试使用 Terraform 创建 IAM 角色和 IAM 策略。
我收到此错误:
│ Error: error creating IAM Role (asg-domain-join-policy): MalformedPolicyDocument: Has prohibited field Resource
status code: 400, request id: 53fa1ae0-f22f-4f2e-8aa6-1947421eae9b
with aws_iam_role.ad_join_role,
on iam.tf line 30, in resource "aws_iam_role" "ad_join_role":
30: resource "aws_iam_role" "ad_join_role" {
我当前的 IAM 角色代码如下:
resource "aws_iam_role" "ad_join_role" {
name = "asg-domain-join-policy"
assume_role_policy = data.aws_iam_policy_document.asg_domain_join_policy.json
permissions_boundary = "arn:aws:iam::${var.account_id}:policy/****"
}
IAM 策略的代码如下:
data "aws_iam_policy_document" "asg_domain_join_policy" {
statement {
actions = [
"ssm:DescribeAssociation",
"ssm:GetDocument",
"ssm:ListAssociations",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceInformation",
"ssm:CreateAssociation",
]
effect = "Allow"
resources = ["ec2"]
}
}
我不确定为什么会收到该错误。
您的资源块使用了错误的引用。 ec2 不是资源。如果您正在引用一个实例,您需要使用 aws_instance.my_ec2_instance,或者如果您想要允许所有资源,您可以放置“*”。
assume_role_policy 可以有一个只指定 AssumeRole 动作的文档。您需要做的是拆分您的策略以创建单独的策略,以便能够承担一个角色,并能够将其他权限附加到该角色。
例如:
# Allow EC2 instances to assume the role
data "aws_iam_policy_document" "asg_assume_role_policy" {
statement {
actions = [
"sts:AssumeRole"
]
effect = "Allow"
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
# Create the policy which allows other actions for the EC2 instance
data "aws_iam_policy_document" "asg_domain_join_policy" {
statement {
actions = [
"ssm:DescribeAssociation",
"ssm:GetDocument",
"ssm:ListAssociations",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceInformation",
"ssm:CreateAssociation"
]
effect = "Allow"
resources = ["*"]
}
}
resource "aws_iam_role" "ad_join_role" {
name = "asg-domain-join-policy"
assume_role_policy = data.aws_iam_policy_document.asg_assume_role_policy.json
# Attach the policy
inline_policy {
policy = data.aws_iam_policy_document.asg_domain_join_policy.json
}
}
本例中的一些注意事项:
- 第二个政策作为 inline policy. This is fine, if the policy is shorter, otherwise you may want to use
aws_iam_policy_attachment 附加
- 第二个策略中的操作资源类型是通配符
["*"]。如果您想更详细地了解您对政策的操作,您可能需要查看 this page 以查看哪个操作允许哪种类型的资源。显然,["ec2"]不是有效的资源类型。