在具有SAML提供程序的AWS中使用Terraform创建ROLE
[英]Create ROLE with Terraform in AWS with SAML provider attached
问题描述
I'm currently trying to automate AWS account provisioning, and one the steps is to create IAM ROLE, with Identity provider(for federated user access). 
我当前正在尝试自动执行AWS账户配置,其中一个步骤是使用身份提供程序(用于联合用户访问)创建IAM ROLE。 I searched, and checked Terraform documentation, but cannot find any information about creating such role, or attaching provider to a role. 我搜索并查看了Terraform文档,但找不到有关创建此类角色或将提供程序附加到角色的任何信息。 I can create both just fine, but they are independent. 我可以创建两个都很好,但是它们是独立的。 here is portion of the code: 这是代码的一部分:
resource "aws_iam_saml_provider" "default" {
name = "ADFS-TEST"
saml_metadata_document = "${file("../../FederationMetadata.xml")}"
}
resource "aws_iam_role" "role" {
name = "test-Admins"
}
2 个解决方案
解决方案1
2 2018-01-25 17:06:25
figured out. 想通了。 here is full block 这是满座
resource "aws_iam_saml_provider" "test" {
name = "ADFS-TEST"
saml_metadata_document = "${file("../../FederationMetadata.xml")}"
}
resource "aws_iam_role" "role" {
name = "ADFStest-Admins"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "${aws_iam_saml_provider.test.arn}"
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}
EOF
}
resource "aws_iam_role_policy" "admins" {
name = "Admin-Policy"
#description = "A test policy"
role = "${aws_iam_role.role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
EOF
}
解决方案2
0 2018-07-12 18:29:53
Thank you! 谢谢! It works for me. 这个对我有用。
I just change aws_iam_role_policy to use the aws_iam_role_policy_attachment: 我只是将aws_iam_role_policy更改为使用aws_iam_role_policy_attachment:
resource "aws_iam_role_policy_attachment" "attach" {
role = "${aws_iam_role.role.name}"
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.