使用 AWS assume_role 和非默认 AWS 凭证执行 Terraform Plan
Execute Terraform Plan with AWS assume_role and non-default AWS credentials
我正在尝试 运行 使用非默认的 aws 凭据配置文件在本地进行 terraform 规划,而我的默认配置文件将不起作用。我还需要在 terraform provider "aws" 中使用 assume_role。我的代码看起来像这样:
provider "aws" {
version = "~> 2.45"
region = "us-east-1"
profile = <profile name>
allowed_account_ids = [<account_id>]
assume_role {
role_arn = "arn:aws:iam::<account id>:role/<role name>"
}
}
我得到的错误是:
Error: The role "arn:aws:iam::<account_id>:role/<role_name>" cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
有趣的是,当我像这样将 access_key 和 secret_key 放入提供程序时:
provider "aws" {
version = "~> 2.45"
region = "us-east-1"
access_key = <aws access key>
secret_key = <aws secret key>
assume_role {
role_arn = "arn:aws:iam::<account_id>:role/<role_name>"
}
}
terraform 计划运行良好。我已经多次检查我的 aws 凭据文件并且它设置正确,但我不确定为什么 terraform plan 不起作用。
当我在文件中有 access_key 和 secret_key 时,我也尝试删除 provider "aws" 中的 assume_role 参数,并且 terraform plan 工作正常,这意味着我不需要assume_role。但是,如果我在 terraform 文件中使用没有 assume_role 的 aws 凭据的配置文件,我会得到:
Error: error using credentials to get account ID: error calling sts:GetCallerIdentity: SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
status code: 403, request id:
您需要修改 IAM Role 上的 Trust Policy,如下所示
How to use trust policies with IAM roles
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/<Your username>"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
更新 IAM Role 上的 Trust Policy 后,您可以通过 assume-role 命令验证这一点
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/xaccounts3access --role-session-name s3-access-example
你会收到类似的东西:
{
"AssumedRoleUser": {
"AssumedRoleId": "AROA3XFRBF535PLBIFPI4:s3-access-example",
"Arn": "arn:aws:sts::123456789012:assumed-role/xaccounts3access/s3-access-example"
},
"Credentials": {
"SecretAccessKey": "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
"SessionToken": "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU=",
"Expiration": "2016-03-15T00:05:07Z",
"AccessKeyId": "ASIAJEXAMPLEXEG2JICEA"
}
}
您还必须在 backend.tf 上指定角色 arn:
terraform {
backend "s3" {
bucket = "your_bucket"
key = "your_key"
region = "us-east-1" (or whataver is the one you're using)
role_arn = "arn:aws:iam::<account_id>:role/<role_name>"
}
}
我正在尝试 运行 使用非默认的 aws 凭据配置文件在本地进行 terraform 规划,而我的默认配置文件将不起作用。我还需要在 terraform provider "aws" 中使用 assume_role。我的代码看起来像这样:
provider "aws" {
version = "~> 2.45"
region = "us-east-1"
profile = <profile name>
allowed_account_ids = [<account_id>]
assume_role {
role_arn = "arn:aws:iam::<account id>:role/<role name>"
}
}
我得到的错误是:
Error: The role "arn:aws:iam::<account_id>:role/<role_name>" cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
有趣的是,当我像这样将 access_key 和 secret_key 放入提供程序时:
provider "aws" {
version = "~> 2.45"
region = "us-east-1"
access_key = <aws access key>
secret_key = <aws secret key>
assume_role {
role_arn = "arn:aws:iam::<account_id>:role/<role_name>"
}
}
terraform 计划运行良好。我已经多次检查我的 aws 凭据文件并且它设置正确,但我不确定为什么 terraform plan 不起作用。
当我在文件中有 access_key 和 secret_key 时,我也尝试删除 provider "aws" 中的 assume_role 参数,并且 terraform plan 工作正常,这意味着我不需要assume_role。但是,如果我在 terraform 文件中使用没有 assume_role 的 aws 凭据的配置文件,我会得到:
Error: error using credentials to get account ID: error calling sts:GetCallerIdentity: SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
status code: 403, request id:
您需要修改 IAM Role 上的 Trust Policy,如下所示
How to use trust policies with IAM roles
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/<Your username>"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
更新 IAM Role 上的 Trust Policy 后,您可以通过 assume-role 命令验证这一点
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/xaccounts3access --role-session-name s3-access-example
你会收到类似的东西:
{
"AssumedRoleUser": {
"AssumedRoleId": "AROA3XFRBF535PLBIFPI4:s3-access-example",
"Arn": "arn:aws:sts::123456789012:assumed-role/xaccounts3access/s3-access-example"
},
"Credentials": {
"SecretAccessKey": "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
"SessionToken": "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU=",
"Expiration": "2016-03-15T00:05:07Z",
"AccessKeyId": "ASIAJEXAMPLEXEG2JICEA"
}
}
您还必须在 backend.tf 上指定角色 arn:
terraform {
backend "s3" {
bucket = "your_bucket"
key = "your_key"
region = "us-east-1" (or whataver is the one you're using)
role_arn = "arn:aws:iam::<account_id>:role/<role_name>"
}
}