文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >如何将托管IAM策略和内联/自定义IAM策略附加到IAM角色?

如何将托管IAM策略和内联/自定义IAM策略附加到IAM角色?
EN

Stack Overflow用户
提问于 2020-05-15 21:56:17
回答 4查看 5.1K关注 0票数 1

我希望将托管inline(如AmazomS3FullAccess)和内联/自定义IAM策略(在terraform文件中用JSON编写)附加到单个IAM角色。

通过使用aws_iam_role_policy_attachment,我只能附加一个策略,如何同时附加这两个策略?

代码语言:javascript
复制
variables.tf
------------

variable "iam_policy_arn" {
  description = "IAM Policy to be attached to role"
  type        = list(string)
  default     = ["arn:aws:iam::aws:policy/AWSLambdaFullAccess", "arn:aws:iam::aws:policy/AmazonSSMFullAccess", "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess"]
}




main.tf
-------


resource "aws_iam_role" "test_role" {
  name = "test_role"

  assume_role_policy = <<-EOF
{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Principal":{
        "Service":"ec2.amazonaws.com"
      },
      "Action":"sts:AssumeRole"
    },
    {
      "Effect":"Allow",
      "Principal":{
        "Service":"sagemaker.amazonaws.com",
        "AWS":"*"
      },
      "Action":"sts:AssumeRole"
    }
  ]
}    
  EOF
}
resource "aws_iam_role_policy_attachment" "role_policy_attachment" {
  role       = "${aws_iam_role.test_role.name}"
  count      = "${length(var.iam_policy_arn)}"
  policy_arn = "${element(var.iam_policy_arn,count.index)}"

}

resource "aws_iam_instance_profile" "test_profile" {
  name = "test_profile"
  role = "${aws_iam_role.test_role.name}"
}

现在,我想将如下所示的自定义策略附加到角色

代码语言:javascript
复制
resource "aws_iam_role_policy" "test_policy" {
  name = "test_policy"
  role = aws_iam_role.test_role.id

  policy = <<-EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": [
          "ec2:Describe*"
        ],
        "Effect": "Allow",
        "Resource": "*"
      }
    ]
  }
  EOF
}

如何将管理IAM策略和自定义IAM策略附加到IAM角色?

terraform
terraform-provider-aws
EN

回答 4

Stack Overflow用户

回答已采纳

发布于 2020-05-29 03:04:21

我能够使用下面的代码将托管IAM策略和内联/自定义IAM策略附加到IAM角色。

代码语言:javascript
复制
# variables.tf
variable "cloudwatch_lambda_iam_policy_arn" {
  type        = list(string)
  description = "IAM Policy to be attached to AWS CloudWatch Lambda role"
  default     = ["arn:aws:iam::aws:policy/AmazonEC2FullAccess", "arn:aws:iam::aws:policy/AWSLambdaExecute", "arn:aws:iam::aws:policy/AmazonCloudDirectoryFullAccess", "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]
}

#------------------------------------------------------------

# lambda.tf
resource "aws_iam_role" "awsmetrics_exec_role" {
  name = "awsmetrics-exec-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

# custom/inline policy
resource "aws_iam_role_policy" "sts_assumerole_lambda" {
  name = "sts-assumerole-lambda"
  role = aws_iam_role.awsmetrics_exec_role.id

  policy = <<-EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole",
        "sts:DecodeAuthorizationMessage",
        "sts:AssumeRoleWithSAML",
        "sts:AssumeRoleWithWebIdentity"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}

# AWS managed policies
resource "aws_iam_role_policy_attachment" "awsmetrics_role_policy_attachment" {
  role       = aws_iam_role.awsmetrics_exec_role.name
  count      = length(var.cloudwatch_lambda_iam_policy_arn)
  policy_arn = element(var.cloudwatch_lambda_iam_policy_arn, count.index)
}
票数 1
EN

Stack Overflow用户

发布于 2020-05-15 22:18:34

只需将它们作为变量传递或将它们声明为本地值,然后对该变量进行迭代。

例如:

代码语言:javascript
复制
resource "aws_iam_role_policy_attachment" "attach" {
  count      = length(var.policies)
  role       = aws_iam_role.my_role.name
  policy_arn = ${var.policies[count.index]}
}

其中var.policies是策略["arn:aws:iam::aws:policy/AmazonS3FullAccess", "arn:aws:iam::<your_account>:policy/your_policy"]的列表

票数 1
EN

Stack Overflow用户

发布于 2020-05-16 02:36:45

您可能需要根据您的需要修改策略,但这就是它的样子。您可以执行以下操作:

代码语言:javascript
复制
data "template_file" "test_role_template" {
 template = "${file("pathToRoleJson")}"
}

data "template_file" "test_policy_template" {
    template = "${file("pathToPolicyJson")}"
    vars = {
      customParam    = "${var.ValueOfParam}"
    }
}

resource "aws_iam_role" "test_role" {
    name     = "roleName"
    assume_role_policy = "${data.template_file.test_role.rendered}"
}

#-----------------------------------------
resource "aws_iam_policy" "test_role_policy" {
  name   = "policyName"
  policy = "${data.template_file.test_policy_template.rendered}"
}

# Attach policy to role nat_ec2_role
#-----------------------------------------
resource "aws_iam_role_policy_attachment" "nat_ec2_role_policy-attachment" {
  role       = "${aws_iam_role.test_role.name}"
  policy_arn = "${aws_iam_policy.test_role_policy.arn}"
}



# Policy Template File
{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Principal":{
        "Service":"ec2.amazonaws.com"
      },
      "Action":"sts:AssumeRole"
    },
    {
      "Effect":"Allow",
      "Principal":{
        "Service":"sagemaker.amazonaws.com",
        "AWS":"*"
      },
       {
        "Action": [
          "ec2:Describe*"
        ],
        "Effect": "Allow",
        "Resource": "*"
      }
      "Action":"sts:AssumeRole"
    }
  ]
}    


resource "aws_iam_instance_profile" "test_profile" {
  name = "test_profile"
  role = "${aws_iam_role.test_role.name}"
}

希望能帮上忙。

票数 1
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/61828988

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档