如何将托管 IAM 策略和内联/自定义 IAM 策略附加到 IAM 角色？答案

【问题标题】：How do I attach a managed IAM policy and an inline/custom IAM policy to IAM roles?如何将托管 IAM 策略和内联/自定义 IAM 策略附加到 IAM 角色？
【发布时间】：2020-09-01 20:30:47
【问题描述】：

我想将托管 IAM 策略 ARN（如 AmazomS3FullAccess）和内联/自定义 IAM 策略（在 terraform 文件中以 JSON 编写）附加到单个 IAM 角色。

通过使用aws_iam_role_policy_attachment，我只能附加一个策略，如何附加两个？

variables.tf
------------

variable "iam_policy_arn" {
  description = "IAM Policy to be attached to role"
  type        = list(string)
  default     = ["arn:aws:iam::aws:policy/AWSLambdaFullAccess", "arn:aws:iam::aws:policy/AmazonSSMFullAccess", "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess"]
}




main.tf
-------


resource "aws_iam_role" "test_role" {
  name = "test_role"

  assume_role_policy = <<-EOF
{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Principal":{
        "Service":"ec2.amazonaws.com"
      },
      "Action":"sts:AssumeRole"
    },
    {
      "Effect":"Allow",
      "Principal":{
        "Service":"sagemaker.amazonaws.com",
        "AWS":"*"
      },
      "Action":"sts:AssumeRole"
    }
  ]
}    
  EOF
}
resource "aws_iam_role_policy_attachment" "role_policy_attachment" {
  role       = "${aws_iam_role.test_role.name}"
  count      = "${length(var.iam_policy_arn)}"
  policy_arn = "${element(var.iam_policy_arn,count.index)}"

}

resource "aws_iam_instance_profile" "test_profile" {
  name = "test_profile"
  role = "${aws_iam_role.test_role.name}"
}

现在我想为角色附加如下自定义策略

resource "aws_iam_role_policy" "test_policy" {
  name = "test_policy"
  role = aws_iam_role.test_role.id

  policy = <<-EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": [
          "ec2:Describe*"
        ],
        "Effect": "Allow",
        "Resource": "*"
      }
    ]
  }
  EOF
}

如何将托管 IAM 策略和自定义 IAM 策略附加到 IAM 角色？

【问题讨论】：

您能否分享您目前拥有的代码以及您遇到的任何错误，为什么要尝试添加额外的策略？
请检查更新后的代码@Marcin
您可以在您的策略的操作块中定义多个操作。这就是你所追求的吗？
我想使用aws_iam_role_policy_attachment将test_policy附加到test_role
您可以为您的策略创建一个单独的模板文件，然后将其中的两个操作添加到文件中。看看这个medium.com/@mitesh_shamra/…

标签： terraform terraform-provider-aws

【解决方案1】：

只需将它们作为变量传递或将它们声明为局部值，然后迭代此类变量。

例如：

resource "aws_iam_role_policy_attachment" "attach" {
  count      = length(var.policies)
  role       = aws_iam_role.my_role.name
  policy_arn = ${var.policies[count.index]}
}

其中var.policies 是政策列表["arn:aws:iam::aws:policy/AmazonS3FullAccess", "arn:aws:iam::<your_account>:policy/your_policy"]

【讨论】：

我想通过 JSON 在 terraform 本身中添加自定义策略，例如 resource "aws_iam_role_policy" "test_policy" { name = "test_policy" role = aws_iam_role.test_role.id policy = <<-EOF { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Describe*" ], "Effect": "Allow", "Resource": "*" } ] } EOF }

【解决方案2】：

我能够使用以下代码将托管 IAM 策略和内联/自定义 IAM 策略附加到 IAM 角色。

# variables.tf
variable "cloudwatch_lambda_iam_policy_arn" {
  type        = list(string)
  description = "IAM Policy to be attached to AWS CloudWatch Lambda role"
  default     = ["arn:aws:iam::aws:policy/AmazonEC2FullAccess", "arn:aws:iam::aws:policy/AWSLambdaExecute", "arn:aws:iam::aws:policy/AmazonCloudDirectoryFullAccess", "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]
}

#------------------------------------------------------------

# lambda.tf
resource "aws_iam_role" "awsmetrics_exec_role" {
  name = "awsmetrics-exec-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

# custom/inline policy
resource "aws_iam_role_policy" "sts_assumerole_lambda" {
  name = "sts-assumerole-lambda"
  role = aws_iam_role.awsmetrics_exec_role.id

  policy = <<-EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole",
        "sts:DecodeAuthorizationMessage",
        "sts:AssumeRoleWithSAML",
        "sts:AssumeRoleWithWebIdentity"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}

# AWS managed policies
resource "aws_iam_role_policy_attachment" "awsmetrics_role_policy_attachment" {
  role       = aws_iam_role.awsmetrics_exec_role.name
  count      = length(var.cloudwatch_lambda_iam_policy_arn)
  policy_arn = element(var.cloudwatch_lambda_iam_policy_arn, count.index)
}

【讨论】：

【解决方案3】：

您可能需要根据自己的需要修改政策，但这就是它的样子。您可以执行以下操作：

data "template_file" "test_role_template" {
 template = "${file("pathToRoleJson")}"
}

data "template_file" "test_policy_template" {
    template = "${file("pathToPolicyJson")}"
    vars = {
      customParam    = "${var.ValueOfParam}"
    }
}

resource "aws_iam_role" "test_role" {
    name     = "roleName"
    assume_role_policy = "${data.template_file.test_role.rendered}"
}

#-----------------------------------------
resource "aws_iam_policy" "test_role_policy" {
  name   = "policyName"
  policy = "${data.template_file.test_policy_template.rendered}"
}

# Attach policy to role nat_ec2_role
#-----------------------------------------
resource "aws_iam_role_policy_attachment" "nat_ec2_role_policy-attachment" {
  role       = "${aws_iam_role.test_role.name}"
  policy_arn = "${aws_iam_policy.test_role_policy.arn}"
}



# Policy Template File
{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Principal":{
        "Service":"ec2.amazonaws.com"
      },
      "Action":"sts:AssumeRole"
    },
    {
      "Effect":"Allow",
      "Principal":{
        "Service":"sagemaker.amazonaws.com",
        "AWS":"*"
      },
       {
        "Action": [
          "ec2:Describe*"
        ],
        "Effect": "Allow",
        "Resource": "*"
      }
      "Action":"sts:AssumeRole"
    }
  ]
}    


resource "aws_iam_instance_profile" "test_profile" {
  name = "test_profile"
  role = "${aws_iam_role.test_role.name}"
}

希望对你有帮助。

【讨论】：

【解决方案4】：

您可以添加嵌入 JSON 的内联策略，如下所示：

resource "aws_iam_role_policy" "test_policy" {
  name = "test_policy"
  role = aws_iam_role.test_role.id

  policy = <<-EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": [
          "ec2:Describe*"
        ],
        "Effect": "Allow",
        "Resource": "*"
      }
    ]
  }
  EOF
}

或者您可以使用 aws_iam_policy_document 在 IntelliJ IDEA 等 IDE 中获得更好的错误检查：

resource "aws_iam_role_policy" "policy" {
  name        = "test-policy"
  description = "A test policy"

  policy = data.aws_iam_policy_document.allow_ec2_describe
}

data "aws_iam_policy_document" "allow_ec2_describe" {
  version = "2012-10-17"

  statement {
    actions = [
      "ec2:Describe*",
    ]
    effect = "Allow"
    resources = [
      "*",
    ]
  }
}

附注：您可以使用带有 for_each 的 aws_iam_role_policy_attachment 资源更清晰地附加 Amazon 托管策略，如下所示：

resource "aws_iam_role_policy_attachment" "managed_policy_attachments" {
  for_each   = {for arn in var.iam_policy_arns : arn => arn}
  role       = aws_iam_role.test_role.name
  policy_arn = data.aws_iam_policy.managed_policies[each.key]
}

旁注：您还可以使用 aws_iam_role_policy_attachment 进行更简洁的 assume_role_policy 设置：

resource "aws_iam_role" "test_role" {
  name = "test_role"

  assume_role_policy = data.aws_iam_policy_document.allow_ec2_and_sagemaker
}

data "aws_iam_policy_document" "allow_ec2_and_sagemaker" {
  version = "2012-10-17"

  statement {
    sid    = "AllowEC2AndSageMaker"
    effect = "Allow"

    actions = [
      "sts:AssumeRole",
    ]

    principals {
      type = "Service"
      identifiers = [
        "ec2.amazonaws.com",
        "sagemaker.amazonaws.com",
      ]
    }
  }
}

【讨论】：