尽管 IAM 设置正确,Terraform 仍承担角色
Terraform assume role despite correct IAM setup
我已经能够通过使用具有给定配置文件的 CLI 假设它来测试这个角色。但是,我仍然在申请时收到此错误:
│ Error: error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::<omitted>:role/<omitted>) cannot be assumed.
│
│ There are a number of possible causes of this - the most common are:
│ * The credentials used in order to assume the role are invalid
│ * The credentials do not have appropriate permission to assume the role
│ * The role ARN is not valid
│
│ Error: NoCredentialProviders: no valid providers in chain. Deprecated.
│ For verbose messaging see aws.Config.CredentialsChainVerboseErrors
│
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on providers.tf line 3, in provider "aws":
│ 3: provider "aws" {
│
提供商配置如下所示:
provider "aws" {
region = var.aws_region
profile = var.aws_profile
assume_role {
role_arn = var.assume_role_arn
session_name = "assume-role-${timestamp()}"
}
}
假设所有变量都是正确的 - 我做错了什么?
我能够在一个简单的存储库中重新创建它:
https://github.com/SparkPost/tf-recreate-assume-role-bug
显然,您必须创建一个正确的代入角色设置,并在角色的代入角色策略和执行代入的 user/role 策略中设置权限。
编辑:
它已被请求,因此这是假定角色的信任策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<omitted>:user/<my username>"
]
},
"Action": "sts:AssumeRole"
}
]
}
另外需要说明的是,我是admin用户,可以承担所有角色。
这是我用来从 CLI 测试承担角色的命令:
aws sts --profile <profile used in module> assume-role --role-arn <role arn from error message> --role-session-name test
返回成功
您的 timestamp() 将 return 非法字符 作为会话名称。您必须将其格式化为只有好的字符,例如:
session_name = "assume-role-${formatdate("MMM-DD-YYYY", timestamp())}"
我已经能够通过使用具有给定配置文件的 CLI 假设它来测试这个角色。但是,我仍然在申请时收到此错误:
│ Error: error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::<omitted>:role/<omitted>) cannot be assumed.
│
│ There are a number of possible causes of this - the most common are:
│ * The credentials used in order to assume the role are invalid
│ * The credentials do not have appropriate permission to assume the role
│ * The role ARN is not valid
│
│ Error: NoCredentialProviders: no valid providers in chain. Deprecated.
│ For verbose messaging see aws.Config.CredentialsChainVerboseErrors
│
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on providers.tf line 3, in provider "aws":
│ 3: provider "aws" {
│
提供商配置如下所示:
provider "aws" {
region = var.aws_region
profile = var.aws_profile
assume_role {
role_arn = var.assume_role_arn
session_name = "assume-role-${timestamp()}"
}
}
假设所有变量都是正确的 - 我做错了什么?
我能够在一个简单的存储库中重新创建它: https://github.com/SparkPost/tf-recreate-assume-role-bug
显然,您必须创建一个正确的代入角色设置,并在角色的代入角色策略和执行代入的 user/role 策略中设置权限。
编辑: 它已被请求,因此这是假定角色的信任策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<omitted>:user/<my username>"
]
},
"Action": "sts:AssumeRole"
}
]
}
另外需要说明的是,我是admin用户,可以承担所有角色。
这是我用来从 CLI 测试承担角色的命令:
aws sts --profile <profile used in module> assume-role --role-arn <role arn from error message> --role-session-name test
返回成功
您的 timestamp() 将 return 非法字符 作为会话名称。您必须将其格式化为只有好的字符,例如:
session_name = "assume-role-${formatdate("MMM-DD-YYYY", timestamp())}"