【发布时间】:2021-09-17 18:06:51
【问题描述】:
我正在尝试将角色应用于 Kubernetes 服务帐户,并且我正在尝试转换以下 json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Federated": "${oidc_arn}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${oidc_url}:sub": "system:serviceaccount:${k8s_namespace}:${role_name}",
"${oidc_url}:aud": "sts.amazonaws.com"
}
}
}]
}
进入 HCL
variable "pod_iam_role_name" {
default = "PodAssumeRole"
}
variable "instance_manager_namespace" {
default = "instance-manager"
}
resource "aws_iam_role" "pod_role" {
name = var.pod_iam_role_name
path = "/"
assume_role_policy = aws_iam_policy.pod_role.arn
force_detach_policies = false
}
resource "aws_iam_policy" "pod_role" {
name = "PodAssumeRolePolicy"
path = "/"
policy = data.aws_iam_policy_document.pod_role.json
}
data "aws_iam_policy_document" "pod_role" {
version = "2012-10-17"
statement {
sid = "PodAssumeRole"
effect = "Allow"
principals {
type = "Service"
identifiers = [
module.eks.oidc_provider_arn
]
}
actions = [
"sts:AssumeRoleWithWebIdentity",
]
condition {
test = "StringEquals"
values = [
"${module.eks.cluster_oidc_issuer_url}:aud"
]
variable = "sts.amazonaws.com"
}
condition {
test = "StringEquals"
values = [
"${module.eks.cluster_oidc_issuer_url}:sub"
]
variable = "system:serviceaccount:${var.instance_manager_namespace}:${var.pod_iam_role_name}"
}
}
}
但我收到以下错误
Error: error creating IAM policy PodAssumeRolePolicy: MalformedPolicyDocument: The policy failed legacy parsing
status code: 400, request id: 47efe363-c069-46b6-bd7e-51d9f6032969
on ../../modules/k8s/openid.tf line 32, in resource "aws_iam_policy" "pod_role":
32: resource "aws_iam_policy" "pod_role" {
为了学分和充分披露,我可以告知我正在关注this 教程。
【问题讨论】:
-
错误是关于
aws_iam_policy.openid但是你的代码没有这样的东西。 -
@Marcin - 我复制并粘贴了旧的错误消息,我的错。问题依然存在。
-
@Marcin 它正在使用模板文件,但这是我试图避免的。但是我一直忙于其他任务,所以我没有时间研究这个
标签: amazon-web-services terraform amazon-eks aws-policies