在 Terraform 内设置 IAM 策略
[英]Setting IAM Policy within Terraform
问题描述
I am having troubles setting an IAM Policy following documentation on Terraform. While trying to assign a this policy to my S3 Bucket using this documentation from databricks
我在按照 Terraform 上的文档设置 IAM 策略时遇到问题。尝试使用databricks 中的文档将此策略分配给我的 S3 存储桶时
the following error is being returned Policy document should not specify a principal.正在返回以下错误Policy document should not specify a principal.
You may reproduce using the following code section您可以使用以下代码部分进行复制
resource "aws_iam_policy" "databricks_bucket_policy" {
name = "databrick_bucket_policy"
path = "/"
description = "A policy for Databricks S3 Bucket"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"AWS" : [
"arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
"arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/<THIS_ROLE_NAME>"
]
},
"Action" : "sts:AssumeRole",
"Condition" : {
"StringEquals" : {
"sts:ExternalId" : "<DATABRICKS_ACCOUNT_ID>"
}
}
}
]
})
}
I've tried following this terraform doc but it is not fully understood .我已经尝试遵循此 terraform 文档,但尚未完全理解。 I would appreciate if someone could clarify on how this can be done.如果有人可以澄清如何做到这一点,我将不胜感激。
1 个解决方案
解决方案1
2 已采纳 2023-01-08 14:18:44
You are trying to create an aws_iam_policy resource and assign it to an S3 bucket, but you can only assign an aws_s3_bucket_policy to a bucket.您正在尝试创建aws_iam_policy资源并将其分配给 S3 存储桶,但您只能将aws_s3_bucket_policy分配给存储桶。 An IAM policy is assigned to users or roles, so you never specify a principal in an IAM policy because it is directly assigned to the principal it is applied to. IAM 策略分配给用户或角色,因此您永远不会在 IAM 策略中指定委托人,因为它直接分配给它所应用的委托人。
By contrast a resource policy, such as the S3 bucket policy, is assigned to a resource, and you specify the principals that you are granting or denying access to the resource.相比之下,将资源策略(例如 S3 存储桶策略)分配给资源,并且您指定要授予或拒绝访问该资源的委托人。
Now, looking at the Databricks documentation, it appears what they are giving you in step 3 of the documentation is a trust relationship.现在,查看 Databricks 文档,他们在文档的第 3 步中为您提供的似乎是一种信任关系。 Step 4 has the IAM policy.第 4 步具有 IAM 策略。 They are also instructing you to create an IAM Role, not an S3 bucket policy.他们还指导您创建 IAM 角色,而不是 S3 存储桶策略。
It appears that what you are being instructed to do is create an IAM role that Databricks can assume, that gives Databricks access to the S3 bucket in your account.看起来您被指示要做的是创建一个 Databricks 可以承担的 IAM 角色,这使 Databricks 可以访问您帐户中的 S3 存储桶。 You are not being instructed to create an S3 bucket policy at all.根本没有指示您创建 S3 存储桶策略。
Your Terraform should look like this:您的 Terraform 应如下所示:
resource "aws_iam_role" "databricks_role" {
name = "databricks_role"
assume_role_policy = jsonencode(
# The JSON from Step 3 goes here
)
}
resource "aws_iam_policy" "databricks_role_policy" {
name = "databrick_role_policy"
path = "/"
description = "A policy for Databricks IAM Role"
policy = jsonencode(
# The JSON from Step 4 goes here
)
}
resource "aws_iam_role_policy_attachment" "databricks_role" {
role = aws_iam_role.databricks_role.name
policy_arn = aws_iam_policy.databricks_role_policy.arn
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.