如何将多个 IAM 角色附加到 AWS 上的实例配置文件？

Question

我正在使用 Terraform 创建 IAM 和 EC2，如下所示。

我想将名为 ec2_role 的角色附加到 EC2 实例配置文件。但是好像只能附上aws_iam_instance_profile创建的一个。

resource "aws_instance" "this" {
  # ..
  iam_instance_profile    = aws_iam_instance_profile.this.name
}

resource "aws_iam_instance_profile" "this" {
  name = "ec2-profile"
  role = aws_iam_role.ec2_role.name
}

关于ec2_role，它使用ec2_role_policy。但如果我将source_json = data.aws_iam_policy.amazon_ssm_managed_instance_core.policy 设置为data "aws_iam_policy_document" "ec2_role_policy" {，则会引发错误。

resource "aws_iam_role" "ec2_role" {
  name               = "ec2-role"
  assume_role_policy = data.aws_iam_policy_document.ec2_role_policy.json
}

resource "aws_iam_policy" "ec2_policy" {
  name   = "ec2-policy"
  policy = data.aws_iam_policy_document.ec2_use_role_policy.json
}

resource "aws_iam_role_policy_attachment" "attach" {
  role       = aws_iam_role.ec2_role.name
  policy_arn = aws_iam_policy.ec2_policy.arn
}

data "aws_iam_policy" "amazon_ssm_managed_instance_core" {
  arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}

data "aws_iam_policy_document" "ec2_role_policy" {
  source_json = data.aws_iam_policy.amazon_ssm_managed_instance_core.policy

  statement {                                   # Doc A
    effect = "Allow"
    principals {
      identifiers = ["ec2.amazonaws.com"]
      type        = "Service"
    }
    actions = ["sts:AssumeRole"]
  }
}

data "aws_iam_policy_document" "ec2_use_role_policy" {
  statement {
    effect    = "Allow"
    actions   = ["sts:AssumeRole"]
    resources = ["arn:aws:iam::12313113231:role/s3-role"]
  }
}

错误信息是：

Error: Error creating IAM Role ec2-role: MalformedPolicyDocument: Has prohibited field Resource
    status code: 400, request id: 1111111-3333-2222-4444-2131331312

  with aws_iam_role.ec2_role,
  on main.tf line 10, in resource "aws_iam_role" "ec2_role":
   10: resource "aws_iam_role" "ec2_role" {

如果我从ec2_role_policy 中删除source_json = data.aws_iam_policy.amazon_ssm_managed_instance_core.policy，它会起作用。但是如何和Doc A一起设置呢？

Answer 1

作为@hars34mentioned in their answer，实例配置文件只能包含一个角色，但该角色可以附加多个策略。但这不是您在那里所做的，也不是错误所抱怨的。

相反，您似乎对某个角色的assume_role_policy（也称为"trust policy"，它控制允许哪些 IAM 委托人使用该角色，例如其他 AWS 服务或不同的 AWS 账户等）感到困惑，并且角色的permissions policy 表示允许该角色执行的操作（例如，读取和写入 S3 存储桶）。

在assume_role_policy/trust 策略文档中，您必须指定一个有效的信任策略，该策略必须包含Principal 块，并且不能包含您的错误消息所抱怨的Resource 块：

Error: Error creating IAM Role ec2-role: MalformedPolicyDocument: Has prohibited field Resource
    status code: 400, request id: 1111111-3333-2222-4444-2131331312

因为您已将允许 EC2 实例代入角色的信任策略与如下所示的权限策略连接起来：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeAssociation",
                "ssm:GetDeployablePatchSnapshotForInstance",
                "ssm:GetDocument",
                "ssm:DescribeDocument",
                "ssm:GetManifest",
                "ssm:GetParameter",
                "ssm:GetParameters",
                "ssm:ListAssociations",
                "ssm:ListInstanceAssociations",
                "ssm:PutInventory",
                "ssm:PutComplianceItems",
                "ssm:PutConfigurePackageResult",
                "ssm:UpdateAssociationStatus",
                "ssm:UpdateInstanceAssociationStatus",
                "ssm:UpdateInstanceInformation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2messages:AcknowledgeMessage",
                "ec2messages:DeleteMessage",
                "ec2messages:FailMessage",
                "ec2messages:GetEndpoint",
                "ec2messages:GetMessages",
                "ec2messages:SendReply"
            ],
            "Resource": "*"
        }
    ]
}

其中包含Resource 块。

如果您希望角色能够使用arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore 策略并且还能够承担arn:aws:iam::12313113231:role/s3-role 角色（尽管将权限直接授予角色而不是使用角色链接和如果这涉及跨帐户访问以使用the S3 bucket policy 来允许该角色），那么您应该这样做：

resource "aws_iam_role" "ec2_role" {
  name               = "ec2-role"
  assume_role_policy = data.aws_iam_policy_document.ec2_assume_role_policy.json
}

resource "aws_iam_policy" "ec2_permission_policy" {
  name   = "ec2-policy"
  policy = data.aws_iam_policy_document.ec2_permission_policy.json
}

resource "aws_iam_role_policy_attachment" "attach" {
  role       = aws_iam_role.ec2_role.name
  policy_arn = aws_iam_policy.ec2_permission_policy.arn
}

data "aws_iam_policy" "amazon_ssm_managed_instance_core" {
  arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}

data "aws_iam_policy_document" "ec2_assume_role_policy" {
  statement {
    effect = "Allow"
    principals {
      identifiers = ["ec2.amazonaws.com"]
      type        = "Service"
    }
    actions = ["sts:AssumeRole"]
  }
}

data "aws_iam_policy_document" "ec2_permission_policy" {
  source_json = data.aws_iam_policy.amazon_ssm_managed_instance_core.policy

  statement {
    effect    = "Allow"
    actions   = ["sts:AssumeRole"]
    resources = ["arn:aws:iam::12313113231:role/s3-role"]
  }
}

Answer 2

一个实例配置文件只能包含一个 IAM 角色，但一个角色可以包含在多个实例配置文件中。不能增加每个实例配置文件一个角色的限制。您可以删除现有角色，然后将不同的角色添加到实例配置文件。由于最终的一致性，您必须等待更改在整个 AWS 中出现。要强制更改，您必须取消关联实例配置文件然后关联实例配置文件，或者您可以停止实例然后重新启动它。请参阅以下文档以获取更多查询， https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html