Terraform aws 承担角色

Posted

技术标签:

【中文标题】Terraform aws 承担角色【英文标题】:Terraform aws assume role 【发布时间】:2020-04-29 11:04:15 【问题描述】:

我对使用 terraform 的 AWS 代入角色有疑问。

在 AWS 中,我在单个组织中拥有三个账户:root、staging 和 production(让我们只关注 root 和 staging 账户)。根账户有一个 IAM 用户 terraform(使用 AdministratorAccess 策略),terraform 使用该用户来配置所有内容。

The image of organization structure

Root account ID: 111111111111
Staging account ID: 333333333333

一个 terraform 脚本如下所示:

############## backend.tf

terraform 
  required_version = "0.12.19"



############## providers.tf
provider "aws" 
  region = "eu-west-1"

  profile = "default"


provider "aws" 
  version = ">= 2.44"
  region  = "eu-west-1"
  profile = "default"

  assume_role 
    role_arn = "arn:aws:iam::333333333333:role/staging-admin"
  

  allowed_account_ids = ["333333333333"]

  alias = "staging"



############## organization.tf
resource "aws_organizations_account" "staging" 
  email = "staging@domain.com"
  name  = "Staging"

  parent_id = "ZZZZZ"




############## data.tf
data "aws_iam_policy_document" "assume_staging_role" 
  statement 
    effect    = "Allow"
    actions   = ["sts:AssumeRole"]
    resources = [
      aws_iam_role.staging.arn
    ]
  


data "aws_iam_policy" "administrator_access" 
  arn = "arn:aws:iam::aws:policy/AdministratorAccess"


data "template_file" "cross_admin_trust_policy" 
  template = file("templates/cross_admin_trust_policy.json")

  vars = 
    staging_account_number = aws_organizations_account.staging.id
  




############## iam.tf
resource "aws_iam_role" "staging" 
  name                 = "staging-admin"
  description          = "Assumable role granting administrator permissions to the staging account"
  assume_role_policy   = data.template_file.cross_admin_trust_policy.rendered
  max_session_duration = 20000

  provider = aws.staging


resource "aws_iam_role_policy_attachment" "staging_admin_access" 
  role       = aws_iam_role.staging.name
  policy_arn = data.aws_iam_policy.administrator_access.arn

  provider = aws.staging_ireland


resource "aws_iam_role_policy_attachment" "staging_attach_assume_any_admin" 
  role       = aws_iam_role.staging.name
  policy_arn = data.aws_iam_policy.administrator_access.arn

  provider = aws.staging_ireland

还有我的 policy.json 文件:


  "Version": "2012-10-17",
  "Statement": [
    
      "Effect": "Allow",
      "Principal": 
        "AWS": "arn:aws:iam::$staging_account_number:role/staging-admin"
      ,
      "Action": "sts:AssumeRole"
    
  ]


当我执行terraform plan 时出现此错误:

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.aws_iam_policy.administrator_access: Refreshing state...
aws_organizations_account.staging: Refreshing state... [id=333333333333]
data.template_file.cross_admin_trust_policy: Refreshing state...

Error: The role "arn:aws:iam::333333333333:role/staging-admin" cannot be assumed.

  There are a number of possible causes of this - the most common are:
    * The credentials used in order to assume the role are invalid
    * The credentials do not have appropriate permission to assume the role
    * The role ARN is not valid

  on providers.tf line 25, in provider "aws"

有人知道如何解决?

【问题讨论】:

【参考方案1】:

根据https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/

    运行aws sts get-caller-identity 命令检查您的身份。

    运行aws sts assume-role --role-arn arn:aws:iam::333333333333:role/staging-admin 命令,查看您的身份是否可以担任此角色。

    检查您的 IAM 角色的信任关系。您应该对其进行限制,以便 IAM 角色只能由特定 IAM 用户担任。


    "Version": "2012-10-17",
    "Statement": 
        "Effect": "Allow",
        "Principal":  "AWS": "arn:aws:iam:: 333333333333:root" ,
        "Action": "sts:AssumeRole"
    

【讨论】:

谢谢你的回答,但是我对第二点有问题。 1. aws sts get-caller-identity 向我返回正确的 json 响应 2. 命令 aws sts assume-role --role-arn arn:aws:iam::333333333333:role/staging-admin --role-session-name terraform 向我返回:An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::111111111111:user/terraform is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::333333333333:role/staging-admin 3. 应该在哪个帐户上完成?在根帐户上的 IAM terraform 用户上? 在我看来,您应该授予您的 IAM 用户 arn:aws:iam::111111111111:user/terraform 访问 arn:aws:iam::333333333333:role/staging-admin 的权限。我想你可以去333333333333:role/staging-admin这个角色建立信任关系。

以上是关于Terraform aws 承担角色的主要内容,如果未能解决你的问题,请参考以下文章

如何在 local-exec 配置程序中从 terraform 继承 aws 凭据

如何使用 terraform 将 aws ec2 私有 ips 传递给模板文件

使用承担角色从 lambda 访问 S3

Terraform:将 AWS 托管策略附加到角色的正确方法?

究竟啥是 AWS 中的“承担”角色?

为 Terraform 服务帐户定义 ClusterRoleBinding