问题描述
我对使用 terraform 的 AWS 代入角色有疑问.
I have a problem with AWS assume role using terraform.
在 AWS 中,我在单个组织中拥有三个账户:root、staging 和 production(我们只关注 root 和 staging 账户).根账户有一个 IAM 用户 terraform
(使用 AdministratorAccess
策略),terraform 使用该用户来配置所有内容.
In AWS I have three accounts: root, staging and production (let's focus only on root & staging account) in single organization. The root account has one IAM user terraform
(with AdministratorAccess
policy) which is used by terraform to provisioning all stuff.
Root account ID: 111111111111
Staging account ID: 333333333333
一个 terraform 脚本如下所示:
A terraform script looks like that:
############## backend.tf
terraform {
required_version = "0.12.19"
}
############## providers.tf
provider "aws" {
region = "eu-west-1"
profile = "default"
}
provider "aws" {
version = ">= 2.44"
region = "eu-west-1"
profile = "default"
assume_role {
role_arn = "arn:aws:iam::333333333333:role/staging-admin"
}
allowed_account_ids = ["333333333333"]
alias = "staging"
}
############## organization.tf
resource "aws_organizations_account" "staging" {
email = "staging@domain.com"
name = "Staging"
parent_id = "ZZZZZ"
}
############## data.tf
data "aws_iam_policy_document" "assume_staging_role" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
resources = [
aws_iam_role.staging.arn
]
}
}
data "aws_iam_policy" "administrator_access" {
arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
data "template_file" "cross_admin_trust_policy" {
template = file("templates/cross_admin_trust_policy.json")
vars = {
staging_account_number = aws_organizations_account.staging.id
}
}
############## iam.tf
resource "aws_iam_role" "staging" {
name = "staging-admin"
description = "Assumable role granting administrator permissions to the staging account"
assume_role_policy = data.template_file.cross_admin_trust_policy.rendered
max_session_duration = 20000
provider = aws.staging
}
resource "aws_iam_role_policy_attachment" "staging_admin_access" {
role = aws_iam_role.staging.name
policy_arn = data.aws_iam_policy.administrator_access.arn
provider = aws.staging_ireland
}
resource "aws_iam_role_policy_attachment" "staging_attach_assume_any_admin" {
role = aws_iam_role.staging.name
policy_arn = data.aws_iam_policy.administrator_access.arn
provider = aws.staging_ireland
}
还有我的 policy.json 文件:
and my policy.json file:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${staging_account_number}:role/staging-admin"
},
"Action": "sts:AssumeRole"
}
]
}
当我执行 terraform plan
时出现此错误:
when I execute terraform plan
I'm getting this error:
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
data.aws_iam_policy.administrator_access: Refreshing state...
aws_organizations_account.staging: Refreshing state... [id=333333333333]
data.template_file.cross_admin_trust_policy: Refreshing state...
Error: The role "arn:aws:iam::333333333333:role/staging-admin" cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
on providers.tf line 25, in provider "aws"
有人知道如何解决?
推荐答案
根据https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/
运行
aws sts get-caller-identity
命令来检查您的身份.
Run the
aws sts get-caller-identity
command to check your identity.
运行 aws sts assume-role --role-arn arn:aws:iam::333333333333:role/staging-admin
命令查看您的角色是否可以担任身份.
Run the aws sts assume-role --role-arn arn:aws:iam::333333333333:role/staging-admin
command to see if this role can be assumed by your identity.
检查您的 IAM 角色的信任关系.您应该对其进行限制,以便 IAM 角色只能由特定 IAM 用户担任.
Check your IAM role's trust relationship. You should restrict it so that the IAM role should be only assumed by specific IAM users.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam:: 333333333333:root" },
"Action": "sts:AssumeRole"
}
}
这篇关于Terraform aws 承担角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!