如何将多个 IAM 角色附加到 AWS 上的实例配置文件?
How to attach multiple IAM roles to instance profile on AWS?
我正在使用 Terraform 创建 IAM 和 EC2,如下所示。
我想将名为 ec2_role 的角色附加到 EC2 实例配置文件。但它似乎只能附加一个由 aws_iam_instance_profile.
创建的
resource "aws_instance" "this" {
# ..
iam_instance_profile = aws_iam_instance_profile.this.name
}
resource "aws_iam_instance_profile" "this" {
name = "ec2-profile"
role = aws_iam_role.ec2_role.name
}
关于ec2_role,它使用了一个ec2_role_policy。但是如果我将 source_json = data.aws_iam_policy.amazon_ssm_managed_instance_core.policy 设置为 data "aws_iam_policy_document" "ec2_role_policy" {,它会抛出一个错误。
resource "aws_iam_role" "ec2_role" {
name = "ec2-role"
assume_role_policy = data.aws_iam_policy_document.ec2_role_policy.json
}
resource "aws_iam_policy" "ec2_policy" {
name = "ec2-policy"
policy = data.aws_iam_policy_document.ec2_use_role_policy.json
}
resource "aws_iam_role_policy_attachment" "attach" {
role = aws_iam_role.ec2_role.name
policy_arn = aws_iam_policy.ec2_policy.arn
}
data "aws_iam_policy" "amazon_ssm_managed_instance_core" {
arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
data "aws_iam_policy_document" "ec2_role_policy" {
source_json = data.aws_iam_policy.amazon_ssm_managed_instance_core.policy
statement { # Doc A
effect = "Allow"
principals {
identifiers = ["ec2.amazonaws.com"]
type = "Service"
}
actions = ["sts:AssumeRole"]
}
}
data "aws_iam_policy_document" "ec2_use_role_policy" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
resources = ["arn:aws:iam::12313113231:role/s3-role"]
}
}
错误信息是:
Error: Error creating IAM Role ec2-role: MalformedPolicyDocument: Has prohibited field Resource
status code: 400, request id: 1111111-3333-2222-4444-2131331312
with aws_iam_role.ec2_role,
on main.tf line 10, in resource "aws_iam_role" "ec2_role":
10: resource "aws_iam_role" "ec2_role" {
如果我从 ec2_role_policy 中删除 source_json = data.aws_iam_policy.amazon_ssm_managed_instance_core.policy,它会起作用。但是怎么和Doc A一起设置呢?
一个实例配置文件只能包含一个 IAM 角色,尽管一个角色可以包含在多个实例配置文件中。不能增加每个实例配置文件一个角色的限制。您可以删除现有角色,然后将不同的角色添加到实例配置文件。由于最终一致性,您必须等待更改出现在整个 AWS 中。要强制更改,您必须取消关联实例配置文件然后关联实例配置文件,或者您可以停止实例然后重新启动 it.Please 请参阅以下文档以进行进一步查询,
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
如@hars34 ,一个实例配置文件只能包含一个角色,但该角色可以附加多个策略。但这不是您在那里所做的,也不是错误所抱怨的。
相反,对于允许角色执行的操作(例如读取和写入 S3 存储桶),您似乎与 assume_role_policy (also known as a "trust policy", this controls what IAM principals are allowed to use the role such as other AWS services or different AWS accounts etc) of a role and the role's permissions policy 混淆了。
在 assume_role_policy/trust 策略文档中,您必须指定一个有效的信任策略,该策略必须包含 Principal 块并且不能包含 Resource 块,这就是您的错误消息抱怨:
Error: Error creating IAM Role ec2-role: MalformedPolicyDocument: Has prohibited field Resource
status code: 400, request id: 1111111-3333-2222-4444-2131331312
因为您已将允许 EC2 实例承担角色的信任策略与如下所示的权限策略串联:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
}
]
}
其中包含 Resource 个块。
如果你希望角色能够使用arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore策略并且能够承担arn:aws:iam::12313113231:role/s3-role角色(虽然直接给角色权限会更正常而不是使用角色链,如果这涉及跨账户访问,则使用 the S3 bucket policy 来允许该角色)那么你应该这样做:
resource "aws_iam_role" "ec2_role" {
name = "ec2-role"
assume_role_policy = data.aws_iam_policy_document.ec2_assume_role_policy.json
}
resource "aws_iam_policy" "ec2_permission_policy" {
name = "ec2-policy"
policy = data.aws_iam_policy_document.ec2_permission_policy.json
}
resource "aws_iam_role_policy_attachment" "attach" {
role = aws_iam_role.ec2_role.name
policy_arn = aws_iam_policy.ec2_permission_policy.arn
}
data "aws_iam_policy" "amazon_ssm_managed_instance_core" {
arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
data "aws_iam_policy_document" "ec2_assume_role_policy" {
statement {
effect = "Allow"
principals {
identifiers = ["ec2.amazonaws.com"]
type = "Service"
}
actions = ["sts:AssumeRole"]
}
}
data "aws_iam_policy_document" "ec2_permission_policy" {
source_json = data.aws_iam_policy.amazon_ssm_managed_instance_core.policy
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
resources = ["arn:aws:iam::12313113231:role/s3-role"]
}
}
我正在使用 Terraform 创建 IAM 和 EC2,如下所示。
我想将名为 ec2_role 的角色附加到 EC2 实例配置文件。但它似乎只能附加一个由 aws_iam_instance_profile.
resource "aws_instance" "this" {
# ..
iam_instance_profile = aws_iam_instance_profile.this.name
}
resource "aws_iam_instance_profile" "this" {
name = "ec2-profile"
role = aws_iam_role.ec2_role.name
}
关于ec2_role,它使用了一个ec2_role_policy。但是如果我将 source_json = data.aws_iam_policy.amazon_ssm_managed_instance_core.policy 设置为 data "aws_iam_policy_document" "ec2_role_policy" {,它会抛出一个错误。
resource "aws_iam_role" "ec2_role" {
name = "ec2-role"
assume_role_policy = data.aws_iam_policy_document.ec2_role_policy.json
}
resource "aws_iam_policy" "ec2_policy" {
name = "ec2-policy"
policy = data.aws_iam_policy_document.ec2_use_role_policy.json
}
resource "aws_iam_role_policy_attachment" "attach" {
role = aws_iam_role.ec2_role.name
policy_arn = aws_iam_policy.ec2_policy.arn
}
data "aws_iam_policy" "amazon_ssm_managed_instance_core" {
arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
data "aws_iam_policy_document" "ec2_role_policy" {
source_json = data.aws_iam_policy.amazon_ssm_managed_instance_core.policy
statement { # Doc A
effect = "Allow"
principals {
identifiers = ["ec2.amazonaws.com"]
type = "Service"
}
actions = ["sts:AssumeRole"]
}
}
data "aws_iam_policy_document" "ec2_use_role_policy" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
resources = ["arn:aws:iam::12313113231:role/s3-role"]
}
}
错误信息是:
Error: Error creating IAM Role ec2-role: MalformedPolicyDocument: Has prohibited field Resource
status code: 400, request id: 1111111-3333-2222-4444-2131331312
with aws_iam_role.ec2_role,
on main.tf line 10, in resource "aws_iam_role" "ec2_role":
10: resource "aws_iam_role" "ec2_role" {
如果我从 ec2_role_policy 中删除 source_json = data.aws_iam_policy.amazon_ssm_managed_instance_core.policy,它会起作用。但是怎么和Doc A一起设置呢?
一个实例配置文件只能包含一个 IAM 角色,尽管一个角色可以包含在多个实例配置文件中。不能增加每个实例配置文件一个角色的限制。您可以删除现有角色,然后将不同的角色添加到实例配置文件。由于最终一致性,您必须等待更改出现在整个 AWS 中。要强制更改,您必须取消关联实例配置文件然后关联实例配置文件,或者您可以停止实例然后重新启动 it.Please 请参阅以下文档以进行进一步查询, https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
如@hars34
相反,对于允许角色执行的操作(例如读取和写入 S3 存储桶),您似乎与 assume_role_policy (also known as a "trust policy", this controls what IAM principals are allowed to use the role such as other AWS services or different AWS accounts etc) of a role and the role's permissions policy 混淆了。
在 assume_role_policy/trust 策略文档中,您必须指定一个有效的信任策略,该策略必须包含 Principal 块并且不能包含 Resource 块,这就是您的错误消息抱怨:
Error: Error creating IAM Role ec2-role: MalformedPolicyDocument: Has prohibited field Resource
status code: 400, request id: 1111111-3333-2222-4444-2131331312
因为您已将允许 EC2 实例承担角色的信任策略与如下所示的权限策略串联:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
}
]
}
其中包含 Resource 个块。
如果你希望角色能够使用arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore策略并且能够承担arn:aws:iam::12313113231:role/s3-role角色(虽然直接给角色权限会更正常而不是使用角色链,如果这涉及跨账户访问,则使用 the S3 bucket policy 来允许该角色)那么你应该这样做:
resource "aws_iam_role" "ec2_role" {
name = "ec2-role"
assume_role_policy = data.aws_iam_policy_document.ec2_assume_role_policy.json
}
resource "aws_iam_policy" "ec2_permission_policy" {
name = "ec2-policy"
policy = data.aws_iam_policy_document.ec2_permission_policy.json
}
resource "aws_iam_role_policy_attachment" "attach" {
role = aws_iam_role.ec2_role.name
policy_arn = aws_iam_policy.ec2_permission_policy.arn
}
data "aws_iam_policy" "amazon_ssm_managed_instance_core" {
arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
data "aws_iam_policy_document" "ec2_assume_role_policy" {
statement {
effect = "Allow"
principals {
identifiers = ["ec2.amazonaws.com"]
type = "Service"
}
actions = ["sts:AssumeRole"]
}
}
data "aws_iam_policy_document" "ec2_permission_policy" {
source_json = data.aws_iam_policy.amazon_ssm_managed_instance_core.policy
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
resources = ["arn:aws:iam::12313113231:role/s3-role"]
}
}