Terraform aws 错误创建 IAM 角色 ecs_task_execution_role: MalformedPolicyDocument: 已禁止字段资源

Question

我使用 terraform 通过 fargate 部署容器。

我遇到了一个错误：

error: Error creating IAM Role ecs_task_execution_role: MalformedPolicyDocument: Has prohibited field Resource
        status code: 400, request id: 351d657b-32ef-4ffa-a1e8-bee912e5c788

  on ecs.tf line 74, in resource "aws_iam_role" "ecs_execution_role":
  74: resource "aws_iam_role" "ecs_execution_role" {

我的地形设置：

resource "aws_ecs_task_definition" "nginx" {
  family = "nginx-${var.app}"

  network_mode             = "awsvpc"
  requires_compatibilities = ["FARGATE"]

  cpu    = "256"
  memory = "512"

  execution_role_arn = "${aws_iam_role.ecs_execution_role.arn}"
  task_role_arn      = "${aws_iam_role.ecs_execution_role.arn}"

  container_definitions = <<DEFINITION
  [
 ...
}

resource "aws_iam_role" "ecs_execution_role" {
  name = "ecs_task_execution_role"
 
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
        "Effect": "Allow",
        "Principal": {
         "Service": "ecs-tasks.amazonaws.com"
        },
        "Action": [
          "sts:AssumeRole",
          "ecs:CreateCluster",
          "ecs:DeregisterContainerInstance",
          "ecs:DiscoverPollEndpoint",
          "ecs:Poll",
          "ecs:RegisterContainerInstance",
          "ecs:StartTelemetrySession",
          "ecs:Submit*",
          "ecs:StartTask",
          "ecr:GetAuthorizationToken",
          "ecr:BatchCheckLayerAvailability",
          "ecr:GetDownloadUrlForLayer",
          "ecr:BatchGetImage",
          "logs:CreateLogStream",
          "logs:PutLogEvents"
        ],
        "Resource": "*"
    }    
  ]
}
EOF

}

我需要什么政策？现行政策有什么问题？

当我将策略中的操作属性更改为 "Action": "sts:AssumeRole" 时，我在任务日志中收到此错误：

Status reason   CannotPullECRContainerError: AccessDeniedException: User: arn:aws:sts::993934193145:assumed-role/ecs_task_execution_role/0d2f817c-d7b5-4221-afb8-56baaee68b0e is not authorized to perform: ecr:GetAuthorizationToken on resource: * status code: 400, request

Answer 1

aws_iam_role中的assume_role_policy仅用于信任关系，即哪个IAM实体可以担任角色。

您想要添加到角色的实际权限，可以放在aws_iam_policy 并使用aws_iam_role_policy_attachment 附加到角色。

例如，您的代码可以重构为以下内容：

resource "aws_iam_role" "ecs_execution_role" {
  name = "ecs_task_execution_role"
 
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
        "Effect": "Allow",
        "Principal": {
         "Service": "ecs-tasks.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    }    
  ]
}
EOF
}

resource "aws_iam_policy" "ecs_permissions" {
  name        = "my_ecs_permissions"
  description = "Permissions to enable CT"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "ecs:CreateCluster",
        "ecs:DeregisterContainerInstance",
        "ecs:DiscoverPollEndpoint",
        "ecs:Poll",
        "ecs:RegisterContainerInstance",
        "ecs:StartTelemetrySession",
        "ecs:Submit*",
        "ecs:StartTask",
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "*"
    }    
  ]
}
EOF
}


resource "aws_iam_role_policy_attachment" "ecs_attachment" {
  role       = aws_iam_role.ecs_execution_role.name
  policy_arn = aws_iam_policy.ecs_permissions.arn
}

Answer 2

这实际上取决于包含信任策略和权限的assume_role_policy

相反，您应该将所有不信任策略权限移至标准 policy

此假设角色策略与标准 IAM 策略非常相似但略有不同，并且不能使用 aws_iam_policy 资源。但是，它可以使用 aws_iam_policy_document 数据源，请参阅下面的示例以了解其工作原理。