[英]Creating an aws_api_gateway_account resource returns AccessDeniedException
In my terraform script I have the following resource -在我的 terraform 脚本中,我有以下资源 -
resource "aws_api_gateway_account" "demo" {
cloudwatch_role_arn = var.apigw_cloudwatch_role_arn
}
In the Apply stage, I see the following error -在 Apply 阶段,我看到以下错误 -
2020/09/21 20:20:48 [ERROR] <root>: eval: *terraform.EvalApplyPost, err: Updating API Gateway Account failed: AccessDeniedException:
status code: 403, request id: abb0662e-ead2-4d95-b987-7d889088a5ef
Is there a specific permission that needs to be attached to the role in order to get rid of this error?是否需要将特定权限附加到角色才能消除此错误?
Ran into the same problem as @bdev03, took me 2 days to identify the missing permission is "iam:PassRole", be so good if terraform is able to point that out, hope this helps.遇到与@bdev03 相同的问题,我花了 2 天时间才确定缺少的权限是“iam:PassRole”,如果 terraform 能够指出这一点,那就太好了,希望这会有所帮助。
Since neither this thread (so far) nor the official documentation is doing a very good job at solving this problem... The minimal policies required for this action are:由于这个线程(到目前为止)和官方文档都没有很好地解决这个问题......这个行动所需的最低政策是:
{
"Sid": "AllowPassingTheRoleToApiGateway",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": ["apigateway.amazonaws.com"]
}
}
}
{
"Sid": "AllowAPIGatewayUpdate",
"Effect": "Allow",
"Action": [
"apigateway:UpdateRestApiPolicy",
"apigateway:PATCH",
"apigateway:GET"
],
"Resource": "*"
}
I haven't tested, but I believe the role needs what's shown below.我没有测试过,但我相信该角色需要如下所示的内容。 See more context at the source: "To enable CloudWatch Logs" section at https://docs.aws.amazon.com/apigateway/latest/developerguide/stages.html
在源代码中查看更多上下文:https 的“启用 CloudWatch Logs”部分://docs.aws.amazon.com/apigateway/latest/developerguide/stages.html
For common application scenarios, the IAM role could attach the managed policy of AmazonAPIGatewayPushToCloudWatchLogs, which contains the following access policy statement:
对于常见的应用场景,IAM 角色可以附加 AmazonAPIGatewayPushToCloudWatchLogs 的托管策略,其中包含以下访问策略语句:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:GetLogEvents", "logs:FilterLogEvents" ], "Resource": "*" } ] }
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", “日志:DescribeLogStreams”,“日志:PutLogEvents”,“日志:GetLogEvents”,“日志:FilterLogEvents”],“资源”:“*”}]}
The IAM role must also contain the following trust relationship statement:
IAM 角色还必须包含以下信任关系声明:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
{“版本”:“2012-10-17”,“声明”:[{“Sid”:“”,“效果”:“允许”,“主体”:{“服务”:“apigateway.amazonaws.com” }, "Action": "sts:AssumeRole" } ] }
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.