【发布时间】:2021-04-22 02:07:43
【问题描述】:
有人可以帮忙解决这个错误吗?我正在配置 AWS Backup 并收到此错误消息。我尝试了很多方式(IAM 政策等),但没有运气。非常感谢任何帮助。
错误:获取备份保管库时出错:AccessDeniedException: 状态码:403,请求ID:501c0713-0ce9-4879-93f6-1887322a38be
【问题讨论】:
-
有没有想过这个问题?遇到同样的问题。
【发布时间】:2021-04-22 02:07:43
【问题描述】:
我使用 terraform 遇到了这个问题。我通过将"backup-storage:MountCapsule" 权限添加到我用来创建资源的角色的策略来解决这个问题。这是稍微编辑的策略和角色配置。希望这对某人有所帮助。
data "aws_iam_policy_document" "CloudFormationServicePolicy" {
statement {
sid = "AllResources"
effect = "Allow"
actions = [
"backup:*",
"backup-storage:MountCapsule",
...
]
resources = ["*"]
}
statement {
sid = "IAM"
effect = "Allow"
actions = ["iam:PassRole"]
resources = ["*"]
}
}
resource "aws_iam_policy" "CloudFormationServicePolicy" {
name = "${local.resource_name}-CloudFormationServicePolicy"
description = "policy for the IAM role "
path = "/${local.metadata["project"]}/${local.metadata["application"]}/"
policy = data.aws_iam_policy_document.CloudFormationServicePolicy.json
}
resource "aws_iam_role" "CloudFormationServiceRole" {
name = "${local.resource_name}-CloudFormationServiceRole"
description = "Allow cluster to manage node groups, fargate nodes and cloudwatch logs"
force_detach_policies = true
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Action" : "sts:AssumeRole",
"Principal" : {
"Service" : ["cloudformation.amazonaws.com", "ecs-tasks.amazonaws.com"]
},
"Effect" : "Allow",
"Sid" : "TrustStatement"
},
{
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::xxxxxxx:role/OrganizationAdministratorRole"
},
"Action" : "sts:AssumeRole"
}
]
})
}
resource "aws_iam_role_policy_attachment" "CloudFormationService_task_role_policy_attachment" {
role = aws_iam_role.CloudFormationServiceRole.name
policy_arn = aws_iam_policy.CloudFormationServicePolicy.arn
}
【讨论】: