无法使用 terraform 创建 Amazon S3 访问策略

Question

我正在尝试创建以下策略，以向我的一个任务定义 (ECS) 授予对 Amazon S3 的完全访问权限。这是我正在使用的 terraform 代码：​​

data "aws_iam_policy_document" "inline_policy_s3" {
  version = "2012-10-17"
  statement {
    sid       = ""
    actions   = ["sts:AssumeRole", "s3:*"]
    effect    = "Allow"
    resources = ["*"]

    principals {
      type        = "Service"
      identifiers = ["ecs-tasks.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "task_role" {
  name               = "ecs_service_task_role"
  assume_role_policy = data.aws_iam_policy_document.inline_policy_s3.json
}

问题是我在运行terraform apply 时收到此错误：

╷
│ Error: Error creating IAM Role ecs_service_task_role: MalformedPolicyDocument: Has prohibited field Resource
│       status code: 400, request id: 25afe8f8-cc66-4533-8f66-9a1f2aeb656b
│ 
│   with module.service.aws_iam_role.task_role,
│   on service/task_role_policy.tf line 16, in resource "aws_iam_role" "task_role":
│   16: resource "aws_iam_role" "task_role" {
│ 
╵

我已尝试更改策略的某些属性，但找不到问题。知道发生了什么吗？

Answer 1

推力策略没有resources和不能拥有除sts:AssumeRole之外的任何其他权限。所以应该是：

data "aws_iam_policy_document" "inline_policy_s3" {
  version = "2012-10-17"
  statement {
    sid       = ""
    actions   = ["sts:AssumeRole"]
    effect    = "Allow"

    principals {
      type        = "Service"
      identifiers = ["ecs-tasks.amazonaws.com"]
    }
  }
}

对于您的 s3 权限，您需要通过例如inline_policy 创建它们。