如何允许 aws 编程用户使用承担角色创建资源

Question

我已经创建了一个具有 ec2 和 vpc 完全访问权限的策略 X 并附加到 userA。 userA 具有控制台访问权限。 因此，使用切换角色 userA 可以从控制台创建实例。

现在，userB 可以通过策略 Y 进行编程访问，并具有 ec2 和 vpc 完全访问权限。 但是当我尝试使用 Terraform 创建实例时出现错误。 错误：创建安全组 (allow-80-22)：UnauthorizedOperation：您无权执行此操作。 编码的授权失败消息：

甚至 - aws ec2 describe-instances 给出错误 - 调用 DescribeInstances 操作时发生错误 (UnauthorizedOperation)：您无权执行此操作。

任何人都可以帮助我。 提前致谢。

Answer 1

老实说，问题本身有几个错误，但我忽略了它们并提供了解决方案

• 使用仅具有附加直接策略的编程访问权限的 IAM 用户创建资源

一般来说，如果您有一个 AWS IAM 用户，该用户具有编程访问权限并且已经附加了所需的策略，那么在权限范围内创建任何资源都非常简单。 像任何正常用例一样。

• 使用仅具有编程访问权限的 IAM 用户创建资源，并承担一个附加了所需策略的角色（仅限角色）

供应商.tf

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }
}
## If you hardcoded the role_arn then it is not required to have two provider configs(one with hardcoded value is enough without any alias).

provider "aws" {
  region = "eu-central-1"
}

provider "aws" {

  alias  = "ec2_and_vpc_full_access"
  region = "eu-central-1"

  assume_role {
    role_arn = data.aws_iam_role.stackoverflow.arn
  }
}

资源.tf

/*
!! Important !!
* Currently the AWS secrets(AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY) used for authentication to terraform is 
* from the user which has direct AWS managed policy [IAMFullAccess]  attached to it to read role arn.
*/

# If you have hardcoded role_arn in the provider config this can be ignored and no usage of alias provider config is required 
## using default provider to read the role.
data "aws_iam_role" "stackoverflow" {
  name = "stackoverflow-ec2-vpc-full-access-role"
}

# Using provider with the role having aws managed policies [ec2 and vpc full access] attached
data "aws_vpc" "default" {
  provider = aws.ec2_and_vpc_full_access

  default = true

}

# Using provider with the role having AWS managed policies [ec2 and vpc full access] attached
resource "aws_key_pair" "eks_jump_host" {
  provider = aws.ec2_and_vpc_full_access

  key_name   = "ec2keypair"
  public_key = file("${path.module}/../../ec2keypair.pub")

}

# Example from https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance
# Using provider with the role having aws managed policies [ec2 and vpc full access] attached
data "aws_ami" "ubuntu" {
  provider = aws.ec2_and_vpc_full_access

  most_recent = true
  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
  }
  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }
  owners = ["099720109477"] # Canonical

}

# Using provider with the role having aws managed policies [ec2 and vpc full access] attached
resource "aws_instance" "terraform-ec2" {
  provider = aws.ec2_and_vpc_full_access

  ami             = data.aws_ami.ubuntu.id
  instance_type   = "t2.micro"
  key_name        = "ec2keypair"
  security_groups = [aws_security_group.t-allow_tls.name]

}

# Using provider with the role having aws managed policies [ec2 and vpc full access] attached
resource "aws_security_group" "t-allow_tls" {
  provider = aws.ec2_and_vpc_full_access

  name        = "allow-80-22"
  description = "Allow TLS inbound traffic"
  vpc_id      = data.aws_vpc.default.id
  ingress {
    description      = "http"
    from_port        = 80
    to_port          = 80
    protocol         = "tcp"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }
}

有关完整的解决方案，请参阅Github Repo ，我希望这对您有所帮助。