[英]Terraform: associate an aws_iam_role with an aws_iam_policy
aws_iam_role 文檔並很難了解如何將aws_iam_role與aws_iam_policy相關聯。 顯然有aws_iam_role_policy ,但這僅允許為特定角色制定“內聯策略”。
有什么建議?
aws_iam_policy_attachment資源允許在 IAM 策略和各種其他 IAM 對象之間創建連接。
例如:
resource "aws_iam_role" "foo" {
name = "example-role"
}
resource "aws_iam_policy" "foo" {
name = "example-policy"
description = "An example policy"
policy = "..."
}
resource "aws_iam_policy_attachment" "foo" {
name = "example-attachment"
policy_arn = "${aws_iam_policy.foo.arn}"
roles = ["${aws_iam_role.foo.name}"]
}
策略也可以附加到用戶和組,如 Terraform 文檔頁面所示。
我必須做的是創建一個角色和一個策略,然后附加它們,如 Martin Atkins 的回答所示。
resource "aws_iam_role" "context-builder-role" {
name = "context-builder-role-${terraform.workspace}"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_policy" "arm_cfs_sqs_queue_policy" {
name = "starmine-inline-policy-${terraform.workspace}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Action": [
"sqs:SendMessage",
"sqs:GetQueueUrl",
"sqs:DeleteMessage"
],
"Effect": "Allow",
"Resource": "arn:aws:sqs:*"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "inline-policy-attach" {
role = aws_iam_role.context-builder-role.name
policy_arn = aws_iam_policy.arm_cfs_sqs_queue_policy.arn
}
您還可以使用策略 ARN 將 AWS 策略附加到角色:
resource "aws_iam_role_policy_attachment" "s3-read-only-attach" {
role = aws_iam_role.context-builder-role.name
policy_arn = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
}
請按照以下步驟操作:
步驟 1) 創建要與 aws 角色關聯的策略。
步驟 2) 創建 aws 角色如下:
i. Set role name.
ii. Set role type according to your preference.
iii. Attach the policy which you have created in step1.
iv. Review and create the role.
希望能幫助到你.......
terraform managed_policy_arns 問題與 aws_iam_role
[英]terraform managed_policy_arns issue with aws_iam_role
如何使用 terraform 將默認值設置為 aws_iam_policy?
[英]How to set default value to aws_iam_policy with terraform?
aws_iam_role 和aws_iam_role_policy 是什么意思?
[英]What is the meaning of aws_iam_role and aws_iam_role_policy?
aws_iam_policy 和 aws_iam_role_policy 之間的區別
[英]Difference between aws_iam_policy and aws_iam_role_policy
Terraform AWS 提供商數據源 aws_iam_role 所需的參數“名稱”是否需要角色的路徑?
[英]Does the Terraform AWS provider data source aws_iam_role required argument "name" require the path to the role?
使用 Terraform 升級版本時如何忽略 aws_iam_policy 更改?
[英]How to ignore aws_iam_policy changing when upgrade version with Terraform?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.