使用 AWS 假设角色和非默认 AWS 凭证执行 Terraform 计划
[英]Execute Terraform Plan with AWS assume_role and non-default AWS credentials
问题描述
I'm trying to run terraform plan locally with a non-default aws credentials profile, where my default profile will not work.
我正在尝试使用非默认 aws 凭据配置文件在本地运行 terraform 计划,而我的默认配置文件将不起作用。 I also need to use assume_role in terraform provider "aws" .我还需要在assume_role provider "aws"中使用假设角色。 My code looks something like this:我的代码看起来像这样:
provider "aws" {
version = "~> 2.45"
region = "us-east-1"
profile = <profile name>
allowed_account_ids = [<account_id>]
assume_role {
role_arn = "arn:aws:iam::<account id>:role/<role name>"
}
}
The error I'm getting is:我得到的错误是:
Error: The role "arn:aws:iam::<account_id>:role/<role_name>" cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
Interestingly, when I put access_key and secret_key in the provider like this:有趣的是,当我像这样将 access_key 和 secret_key 放入提供程序时:
provider "aws" {
version = "~> 2.45"
region = "us-east-1"
access_key = <aws access key>
secret_key = <aws secret key>
assume_role {
role_arn = "arn:aws:iam::<account_id>:role/<role_name>"
}
}
terraform plan works fine. terraform 计划工作正常。 I've double checked my aws credentials file several time and it's setup correctly, but I'm not sure why terraform plan doesn't work.我已经多次检查了我的 aws 凭据文件并且设置正确,但我不确定为什么 terraform 计划不起作用。 I've also tried deleting the assume_role parameter in provider "aws" when i have access_key and secret_key in the file, and terraform plan works fine, which means i don't need the assume_role .当我在文件中有access_key和secret_key并且 terraform 计划工作正常时,我还尝试删除provider "aws"中的assume_role参数,这意味着我不需要assume_role 。 however, if i use the profile from aws credentials without assume_role in terraform file, i'm getting:但是,如果我在assume_role文件中使用 aws 凭证中的配置文件而没有假设角色,我会得到:
Error: error using credentials to get account ID: error calling sts:GetCallerIdentity: SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
status code: 403, request id:
1 个解决方案
解决方案1
0 已采纳 2021-02-03 17:55:10
You need amend the Trust Policy on the IAM Role like below您需要修改IAM Role的Trust Policy ,如下所示
How to use trust policies with IAM roles 如何将信任策略与 IAM 角色一起使用
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/<Your username>"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Once you update the Trust Policy on the IAM Role you can verify this via assume-role command更新IAM Role的Trust Policy后,您可以通过假设角色命令验证这一点
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/xaccounts3access --role-session-name s3-access-example
You would receive something like:你会收到类似的东西:
{
"AssumedRoleUser": {
"AssumedRoleId": "AROA3XFRBF535PLBIFPI4:s3-access-example",
"Arn": "arn:aws:sts::123456789012:assumed-role/xaccounts3access/s3-access-example"
},
"Credentials": {
"SecretAccessKey": "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
"SessionToken": "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU=",
"Expiration": "2016-03-15T00:05:07Z",
"AccessKeyId": "ASIAJEXAMPLEXEG2JICEA"
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.