[英]How do I get the aws account id from a aws_iam_user in terraform?
我正在尝试将以下策略添加到使用 terraform 的 iam 用户。如何在 upload_user_user 的策略中添加帐户 ID?
resource "aws_iam_user" "product_upload_user" {
name = "cc-${terraform.workspace}-product-upload-user"
}
resource "aws_iam_user_policy" "allow_upload" {
user = aws_iam_user.product_upload_user.name
policy = data.aws_iam_policy_document.allow_upload.json
}
data "aws_iam_policy_document" "allow_upload" {
statement {
sid = "STSToken"
effect = "Allow"
actions = ["sts:GetFederationToken"]
# resources = ["arn:aws:sts::${aws_iam_user.product_upload_user.<account_id>}:federated-user/S3UploadWebToken"]
}
}
尝试实施本教程中的策略: https://next-s3-upload.codingvalue.com/setup
您可以使用 Terraform 数据资源aws_caller_identity 。 数据资源有一个可以导出的account_id
属性。 这也可以防止将帐户 ID 硬编码到您的代码中。 我已经将附加内容添加到您可以测试的代码中。
resource "aws_iam_user" "product_upload_user" {
name = "cc-${terraform.workspace}-product-upload-user"
}
resource "aws_iam_user_policy" "allow_upload" {
user = aws_iam_user.product_upload_user.name
policy = data.aws_iam_policy_document.allow_upload.json
}
data "aws_iam_policy_document" "allow_upload" {
statement {
sid = "STSToken"
effect = "Allow"
actions = ["sts:GetFederationToken"]
resources = ["arn:aws:sts::${data.aws_caller_identity.current.account_id}:federated-user/S3UploadWebToken"]
}
}
data "aws_caller_identity" "current" {}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.