带有委托人的动态 AWS IAM 策略文档

Posted

技术标签:

【中文标题】带有委托人的动态 AWS IAM 策略文档【英文标题】:Dynamically AWS IAM policy document with principals 【发布时间】:2021-11-12 13:00:21 【问题描述】:

我正在创建一个动态 AWS IAM 策略文档,从“FROM”静态到“TO”动态,但主体部分给出 “此处不应有一个名为“principals”的参数”

如果我从 aws_iam_policy_document 中删除“主体”,它会起作用。任何建议都会有所帮助。

来自

data "aws_iam_policy_document" "bucket_policy" 
  statement 
    principals 
      type        = "AWS"
      identifiers = [
        "arn:aws:iam::sdfsdfsdeploy",
        "arn:aws:iam::sdfsdfsdeploy/OrganizationAccountAccessRole"
      ]
    

    actions = [
      "s3:GetObject",
      "s3:PutObject"
    ]

    resources = formatlist("arn:aws:s3:::%s/*", var.bucket_name)

this code in source = "../../modules/s3/main.tf" 

data "aws_iam_policy_document" "bucket_policy" 
  dynamic "statement" 
    for_each = var.policies_list
    iterator = role
    content 
      effect = lookup(role.value, "effect", null)
      principals = lookup(role.value, "principals", null)
      actions = lookup(role.value, "actions", null)
      resources = lookup(role.value, "resources", null)
    
  


module "s3_test" 
  source = "../../modules/s3"  

  region                                    = var.region
  
  policies_list = [
    
      effect = "Allow"
      principals = 
        type        = "AWS"
        identifiers = [
          "arn:aws:iam::3ssdfsdfy",
          "arn:aws:iam::3ssdfsdfy:role/OrganizationAccountAccessRole"
        ]
      
      actions = [
        "s3:GetObject",
        "s3:PutObject"
      ]
      resources = formatlist("arn:aws:s3:::%s/*", "teskjkjsdkfkjskdjhkjfhkjhskjdf")
    
  ]

【问题讨论】:

什么是../../modules/s3 代码? source = "terraform-aws-modules/s3-bucket/aws" 它可以是任何东西。 【参考方案1】:

找到了。

variable "policies_list" 
  description = "nested block: s3_aws_iam_policy_document"
  type = set(object(
    
      actions =  list(string)
      effect =  string
      principals = set(object(
        
          type                        = string
          identifiers                 = list(string)
        
      ))
      resources  =  list(string)
    
  ))
  default = []


data "aws_iam_policy_document" "bucket_policy" 
  dynamic "statement" 
    for_each = var. policies_list
    iterator = role
    content 
      effect = lookup(role.value, "effect", null)
      actions = lookup(role.value, "actions", null)
      dynamic "principals" 
        for_each = role.value.principals
        content 
          type = principals.value["type"]
          identifiers = principals.value["identifiers"]
        
      
      resources = lookup(role.value, "resources", null)

基于 https://github.com/niveklabs/tfwriter/blob/1ea629ed386bbe6a8f21617a430dae19ba536a98/google-beta/r/google_storage_bucket.md

【讨论】:

以上是关于带有委托人的动态 AWS IAM 策略文档的主要内容,如果未能解决你的问题,请参考以下文章

AWS Elasticsearch Service IAM 基于角色的访问策略

[AWS][安全] S3存储桶策略-Bucket Policy

terraform:有没有办法动态创建 iam 策略语句?

AWS IAM 策略允许用户创建具有特定策略/角色的 IAM 用户

如何重命名 AWS 客户 IAM 策略?

多个存储桶的 AWS IAM 策略