Terraform aws 承担角色
Posted
技术标签:
【中文标题】Terraform aws 承担角色【英文标题】:Terraform aws assume role 【发布时间】:2020-04-29 11:04:15 【问题描述】:我对使用 terraform 的 AWS 代入角色有疑问。
在 AWS 中,我在单个组织中拥有三个账户:root、staging 和 production(让我们只关注 root 和 staging 账户)。根账户有一个 IAM 用户 terraform(使用 AdministratorAccess 策略),terraform 使用该用户来配置所有内容。
The image of organization structure
Root account ID: 111111111111
Staging account ID: 333333333333
一个 terraform 脚本如下所示:
############## backend.tf
terraform
required_version = "0.12.19"
############## providers.tf
provider "aws"
region = "eu-west-1"
profile = "default"
provider "aws"
version = ">= 2.44"
region = "eu-west-1"
profile = "default"
assume_role
role_arn = "arn:aws:iam::333333333333:role/staging-admin"
allowed_account_ids = ["333333333333"]
alias = "staging"
############## organization.tf
resource "aws_organizations_account" "staging"
email = "staging@domain.com"
name = "Staging"
parent_id = "ZZZZZ"
############## data.tf
data "aws_iam_policy_document" "assume_staging_role"
statement
effect = "Allow"
actions = ["sts:AssumeRole"]
resources = [
aws_iam_role.staging.arn
]
data "aws_iam_policy" "administrator_access"
arn = "arn:aws:iam::aws:policy/AdministratorAccess"
data "template_file" "cross_admin_trust_policy"
template = file("templates/cross_admin_trust_policy.json")
vars =
staging_account_number = aws_organizations_account.staging.id
############## iam.tf
resource "aws_iam_role" "staging"
name = "staging-admin"
description = "Assumable role granting administrator permissions to the staging account"
assume_role_policy = data.template_file.cross_admin_trust_policy.rendered
max_session_duration = 20000
provider = aws.staging
resource "aws_iam_role_policy_attachment" "staging_admin_access"
role = aws_iam_role.staging.name
policy_arn = data.aws_iam_policy.administrator_access.arn
provider = aws.staging_ireland
resource "aws_iam_role_policy_attachment" "staging_attach_assume_any_admin"
role = aws_iam_role.staging.name
policy_arn = data.aws_iam_policy.administrator_access.arn
provider = aws.staging_ireland
还有我的 policy.json 文件:
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal":
"AWS": "arn:aws:iam::$staging_account_number:role/staging-admin"
,
"Action": "sts:AssumeRole"
]
当我执行terraform plan 时出现此错误:
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
data.aws_iam_policy.administrator_access: Refreshing state...
aws_organizations_account.staging: Refreshing state... [id=333333333333]
data.template_file.cross_admin_trust_policy: Refreshing state...
Error: The role "arn:aws:iam::333333333333:role/staging-admin" cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
on providers.tf line 25, in provider "aws"
有人知道如何解决?
【问题讨论】:
【参考方案1】:根据https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/
运行aws sts get-caller-identity 命令检查您的身份。
运行aws sts assume-role --role-arn arn:aws:iam::333333333333:role/staging-admin 命令,查看您的身份是否可以担任此角色。
检查您的 IAM 角色的信任关系。您应该对其进行限制,以便 IAM 角色只能由特定 IAM 用户担任。
"Version": "2012-10-17",
"Statement":
"Effect": "Allow",
"Principal": "AWS": "arn:aws:iam:: 333333333333:root" ,
"Action": "sts:AssumeRole"
【讨论】:
谢谢你的回答,但是我对第二点有问题。 1.aws sts get-caller-identity 向我返回正确的 json 响应 2. 命令 aws sts assume-role --role-arn arn:aws:iam::333333333333:role/staging-admin --role-session-name terraform 向我返回:An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::111111111111:user/terraform is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::333333333333:role/staging-admin 3. 应该在哪个帐户上完成?在根帐户上的 IAM terraform 用户上?
在我看来,您应该授予您的 IAM 用户 arn:aws:iam::111111111111:user/terraform 访问 arn:aws:iam::333333333333:role/staging-admin 的权限。我想你可以去333333333333:role/staging-admin这个角色建立信任关系。以上是关于Terraform aws 承担角色的主要内容,如果未能解决你的问题,请参考以下文章
如何在 local-exec 配置程序中从 terraform 继承 aws 凭据
如何使用 terraform 将 aws ec2 私有 ips 传递给模板文件