堆栈内存溢出
  简体   繁体   English

AWS Terraform 承担 S3 后端角色的 IAM 用户

[英]AWS Terraform IAM user with assume role for S3 back end

 原文  2022-02-05 23:44:49       amazon-s3/ terraform/ amazon-iam/ terraform-provider-aws/ assume-role

问题描述

To store the Terraform state file in S3 bucket, I have used admin account credentials and configured.为了将 Terraform state 文件存储在 S3 存储桶中,我使用了管理员帐户凭据并进行了配置。 Now I have created IAM user and trying to use assume role.现在我已经创建了 IAM 用户并尝试使用承担角色。 Assume role has the administrator policy attached.假设角色附加了管理员策略。

I have tested this AIM user setup with aws sts assume-role --role-arn commands.我已经使用aws sts assume-role --role-arn命令测试了这个 AIM 用户设置。 I was able to get the token and using the token able access the S3 bucket using aws s3 ls command.我能够获取令牌并使用令牌能够使用aws s3 ls命令访问 S3 存储桶。

Now trying to use the IAM user access/secret key with assume role for terraform. when I run terraform refresh command its giving below errors.现在尝试使用 IAM 用户访问/秘密密钥承担 terraform 的角色。当我运行terraform refresh命令时,它给出以下错误。

provider code:提供商代码:

provider "aws" {
  region  = "us-west-2"
  max_retries = 1
  assume_role {
    role_arn = var.assume_role_arn
  }

}

Error错误

 Error: Error acquiring the state lock
│
│ Error message: 2 errors occurred:
│       * AccessDeniedException: User: arn:aws:iam::xxxxxxxx:user/deploy is not authorized to perform: dynamodb:PutItem on resource:
│ arn:aws:dynamodb:us-west-2:xxxxxxxx:table/terraform-state-lock
│       status code: 400, request id: CV4J3JN1LD0KPDGHAOA9UL13ONVV4KQNSO5AEMVJF66Q9ASUAAJG
│       * AccessDeniedException: User: arn:aws:iam::xxxxxxxx:user/deploy is not authorized to perform: dynamodb:GetItem on resource:
│ arn:aws:dynamodb:us-west-2:xxxxxxxx:table/terraform-state-lock
│       status code: 400, request id: BISQQDU4659LLI3CEDP26T8RJ7VV4KQNSO5AEMVJF66Q9ASUAAJG
│
│
│
│ Terraform acquires a state lock to protect the state from being written
│ by multiple users at the same time. Please resolve the issue above and try
│ again. For most commands, you can disable locking with the "-lock=false"
│ flag, but this is not recommended.

Why this is not working in Terraform How to fix this error?为什么这在 Terraform 中不起作用 如何解决此错误?

Thanks SR谢谢SR

1 个解决方案

解决方案1
 0  2022-02-07 10:41:31

It does not seem like it's even assuming the role, otherwise the error would show up as an assumed-role/deploy identity .它似乎甚至没有担任角色,否则错误将显示为assumed-role/deploy identity

I'd suggest you try exporting the AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID variables in the command line and then run Terraform again.我建议您尝试在命令行中导出AWS_SECRET_ACCESS_KEYAWS_ACCESS_KEY_ID变量,然后再次运行 Terraform。

I tried this few days back using Terraform Cloud with the terraform user credentials there, which is not exactly your case, but it should behave in the same way.这几天我尝试使用 Terraform Cloud 和 terraform 用户凭证,这不完全是你的情况,但它应该以相同的方式运行。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在使用 Node.js 连接到 S3 时,如何让我在 AWS Fargate 容器中运行的代码承担 IAM 角色? - How do I enable my code runing in a AWS Fargate container to assume an IAM role when connecting to S3 with Node.js? CodeBuild IAM 角色承担角色利用 terraform jsoncode - CodeBuild IAM Role Assume Role Leveraging terraform jsoncode 允许用户通过 SSO 登录承担 IAM 角色 - Allow user to assume an IAM role with SSO login 无法从 EKS EC2 实例上运行的应用程序访问 s3,IAM 承担角色权限问题 - Cannot access s3 from application running on EKS EC2 instance, IAM assume role permissions issue Terraform AWS Newrelic 与 IAM 角色的集成 - Terraform AWS Newrelic Integration with IAM Role Terraform AWS iam 角色 AlreadyExists 错误 - Terraform AWS iam role AlreadyExists error AWS 中 IAM 角色和 IAM 用户的区别 - Difference between IAM role and IAM user in AWS AWS:STS 承担角色不适用于用户 - AWS: STS Assume Role not working for user AWS IAM s3:前缀 - AWS IAM s3:prefix AWS - IAM 用户角色权限未传播给用户 - AWS - IAM User Role Permissions are not Propagating to User
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM