创建 aws_api_gateway_account 资源 returns AccessDeniedException
Creating an aws_api_gateway_account resource returns AccessDeniedException
在我的 terraform 脚本中,我有以下资源 -
resource "aws_api_gateway_account" "demo" {
cloudwatch_role_arn = var.apigw_cloudwatch_role_arn
}
在Apply阶段,我看到如下错误-
2020/09/21 20:20:48 [ERROR] <root>: eval: *terraform.EvalApplyPost, err: Updating API Gateway Account failed: AccessDeniedException:
status code: 403, request id: abb0662e-ead2-4d95-b987-7d889088a5ef
是否需要将特定权限附加到角色才能消除此错误?
我没有测试过,但我相信该角色需要如下所示的内容。在源代码中查看更多上下文:https://docs.aws.amazon.com/apigateway/latest/developerguide/stages.html
的“启用 CloudWatch Logs”部分
For common application scenarios, the IAM role could attach the
managed policy of AmazonAPIGatewayPushToCloudWatchLogs, which contains
the following access policy statement:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": "*"
}
] }
The IAM role must also contain the following trust relationship
statement:
{ "Version": "2012-10-17", "Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
} ] }
运行 遇到了与 @bdev03 相同的问题,我花了 2 天时间才确定缺少的权限是“iam:PassRole”,如果 terraform 能够指出这一点,那就太好了,希望这会有所帮助。
在我的 terraform 脚本中,我有以下资源 -
resource "aws_api_gateway_account" "demo" {
cloudwatch_role_arn = var.apigw_cloudwatch_role_arn
}
在Apply阶段,我看到如下错误-
2020/09/21 20:20:48 [ERROR] <root>: eval: *terraform.EvalApplyPost, err: Updating API Gateway Account failed: AccessDeniedException:
status code: 403, request id: abb0662e-ead2-4d95-b987-7d889088a5ef
是否需要将特定权限附加到角色才能消除此错误?
我没有测试过,但我相信该角色需要如下所示的内容。在源代码中查看更多上下文:https://docs.aws.amazon.com/apigateway/latest/developerguide/stages.html
的“启用 CloudWatch Logs”部分For common application scenarios, the IAM role could attach the managed policy of AmazonAPIGatewayPushToCloudWatchLogs, which contains the following access policy statement:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:GetLogEvents", "logs:FilterLogEvents" ], "Resource": "*" } ] }
The IAM role must also contain the following trust relationship statement:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
运行 遇到了与 @bdev03 相同的问题,我花了 2 天时间才确定缺少的权限是“iam:PassRole”,如果 terraform 能够指出这一点,那就太好了,希望这会有所帮助。