定义 Lambda 策略并承担角色策略

【问题标题】:Define Lambda policy and assume role policy定义 Lambda 策略并承担角色策略
【发布时间】:2021-10-15 18:37:44
【问题描述】:

我正在编写一个应使用 CloudWatch 事件触发(在X 时间之后)的 Lambda 函数。我的配置几乎可以工作,但我无法从 AWS 获得正确的策略业务。这是我目前所拥有的:

data "aws_iam_policy_document" "this" {
  statement {
    actions = ["sts:AssumeRole"]
    effect  = "Allow"
    principals {
      identifiers = ["lambda.amazonaws.com"]
      type        = "Service"
    }
  }
  statement {
    actions   = [
      "logs:CreateLogStream",
      "logs:PutLogEvents",
    ]
    effect    = "Allow"
    resources = ["arn:aws:logs:*:*:*"]
  }
}

resource "aws_iam_role_policy_attachment" "this" {
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
  role       = aws_iam_role.this.name
}

resource "aws_iam_role" "this" {
  assume_role_policy = data.aws_iam_policy_document.this.json
  name               = "AWSLambdaSpringCloudFunctionBasicExecutionRole"
}

我只希望 Lambda 能够写入 CloudWatch 并由 CloudWatch 事件源触发...仅此而已,没有更多权限。我正在通过 Terraform 创建日志组,因此不需要 logs:CreateLogGroup

当我执行terraform apply(版本0.12.24)时,会弹出此错误:

aws_iam_role.this: Creating...

Error: Error creating IAM Role AWSLambdaSpringCloudFunctionBasicExecutionRole: MalformedPolicyDocument: Has prohibited field Resource
    status code: 400, request id: 12ad676e-b98e-4c60-bedd-bf17487bd51d

有没有办法同时声明 AWS Lambda 策略和承担角色策略?如果没有,推荐的 Terraform 资源/数据源是什么?

更新:完整的解决方案

正如 Oleksii 指出的,我使用了错误的资源来创建 IAM 政策:

data "aws_iam_policy_document" "assume_role" {
  statement {
    actions = ["sts:AssumeRole"]
    effect  = "Allow"
    principals {
      identifiers = ["lambda.amazonaws.com"]
      type        = "Service"
    }
  }
}

resource "aws_iam_role_policy_attachment" "assume_role" {
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
  role       = aws_iam_role.lambda.name
}

resource "aws_iam_role" "lambda" {
  assume_role_policy = data.aws_iam_policy_document.assume_role.json
  name               = "Use Any Identifier/Name You Want Here For IAM Role"
}

data "aws_iam_policy_document" "logs" {
  statement {
    actions   = [
      "logs:CreateLogStream",
      "logs:PutLogEvents",
    ]
    effect    = "Allow"
    resources = ["arn:aws:logs:*:*:*"]
  }
}

resource "aws_iam_policy_attachment" "logs" {
  name       = "Use Any Identifier/Name You Want Here For IAM Policy Logs"
  policy_arn = aws_iam_policy.logs.arn
  roles      = [aws_iam_role.lambda.name]
}

resource "aws_iam_policy" "logs" {
  name   = "Use Any Identifier/Name You Want Here For IAM Policy Logs"
  policy = data.aws_iam_policy_document.logs.json
}

【问题讨论】:

  • 您在第二个声明中错过了effect: "Allow" 吗?
  • 已更新...我有,忘记输入了:/

标签: amazon-web-services terraform terraform-provider-aws


【解决方案1】:

您试图在assume_role_policy 中定义多个语句,这不是常规策略,而是“信任关系”类型的策略。它只描述了谁可以担任角色以及在什么条件下。

根据我的理解(有限的 Terraform 知识),您需要将第二条语句移到它自己的策略中,然后通过 aws_iam_role_policy_attachment 附加它

【讨论】:

  • 刚刚发现;缺少组合:aws_iam_policy_documentaws_iam_policy_attachmentaws_iam_policy...这就是我必须定义(和工作)的第二个组合,我试图坚持使用 aws_iam_role_policy_attachment
猜你喜欢
  • 2018-03-02
  • 2023-02-09
  • 2019-12-21
  • 1970-01-01
  • 2013-09-11
  • 1970-01-01
  • 2019-11-17
  • 1970-01-01
  • 1970-01-01
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode