无法使用 terraform 创建 Amazon S3 访问策略
[英]Cannot create Amazon S3 access policy with terraform
问题描述
I'm trying to create the following policy to give full access to Amazon S3 to one of my task definitions (ECS).
我正在尝试创建以下策略以向我的任务定义 (ECS) 之一授予对 Amazon S3 的完全访问权限。 This is the terraform code I'm using:这是我正在使用的 terraform 代码:
data "aws_iam_policy_document" "inline_policy_s3" {
version = "2012-10-17"
statement {
sid = ""
actions = ["sts:AssumeRole", "s3:*"]
effect = "Allow"
resources = ["*"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
resource "aws_iam_role" "task_role" {
name = "ecs_service_task_role"
assume_role_policy = data.aws_iam_policy_document.inline_policy_s3.json
}
The problem is that I'm getting this error when I run terraform apply :问题是我在运行terraform apply时收到此错误:
╷
│ Error: Error creating IAM Role ecs_service_task_role: MalformedPolicyDocument: Has prohibited field Resource
│ status code: 400, request id: 25afe8f8-cc66-4533-8f66-9a1f2aeb656b
│
│ with module.service.aws_iam_role.task_role,
│ on service/task_role_policy.tf line 16, in resource "aws_iam_role" "task_role":
│ 16: resource "aws_iam_role" "task_role" {
│
╵
I have tried changing some of the attributes of the policy, but I cannot find the problem.我尝试更改策略的某些属性,但找不到问题所在。 Any idea what's going on?知道发生了什么事吗?
1 个解决方案
解决方案1
2 已采纳 2021-08-14 11:08:25
Thrust policies don't have resources and can't have any other permissions than sts:AssumeRole .推力策略没有resources ,也不能有除sts:AssumeRole之外的任何其他权限。 So it should be:所以应该是:
data "aws_iam_policy_document" "inline_policy_s3" {
version = "2012-10-17"
statement {
sid = ""
actions = ["sts:AssumeRole"]
effect = "Allow"
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
For your s3 permissions, you need to create them through, for example, inline_policy .对于您的 s3 权限,您需要通过例如inline_policy创建它们。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.