文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >Firehose无法承担Terraform上的角色错误

Firehose无法承担Terraform上的角色错误
EN

Stack Overflow用户
提问于 2020-04-01 21:45:23
回答 1查看 620关注 0票数 0

当我尝试在Terraform中创建Kinesis Firehose传送时,我一直收到此错误:

代码语言:javascript
复制
Error: error creating Kinesis Firehose Delivery Stream: InvalidArgumentException: Firehose is unable to assume role arn:aws:iam::173115710334:role/XXX_kinesis_role. Please check the role provided.

相关的Terraform代码如下所示:

代码语言:javascript
复制
resource "aws_iam_role" "kinesis_role" {
  name = "XXX_kinesis_role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "kinesis.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_kinesis_firehose_delivery_stream" "log_stream_firehose" {
  name        = "log_stream_firehose"
  destination = "extended_s3"

  kinesis_source_configuration {
    kinesis_stream_arn = aws_kinesis_stream.log_stream.arn
    role_arn           = aws_iam_role.kinesis_role.arn
  }

  extended_s3_configuration {
    role_arn        = aws_iam_role.firehose_role.arn
    bucket_arn      = aws_s3_bucket.messages_bucket.arn
    prefix          = "log_table/"
    buffer_size     = 64
    buffer_interval = 60

    data_format_conversion_configuration {
      input_format_configuration {
        deserializer {
          open_x_json_ser_de {}
        }
      }

      output_format_configuration {
        serializer {
          parquet_ser_de {}
        }
      }

      schema_configuration {
        database_name = "default"
        role_arn      = aws_iam_role.glue_role.arn
        table_name    = aws_glue_catalog_table.glue_log_table.name
      }
    }
  }
}

我不知道问题出在哪里。这里我漏掉了什么?

更新:来自Terraform的完整输出:

代码语言:javascript
复制
aws_iam_policy.ecoplant_policy: Creating...
aws_iam_role.glue_role: Creating...
aws_kinesis_stream.self_ping_stream: Creating...
aws_iam_role.firehose_role: Creating...
aws_kinesis_stream.sample_stream: Creating...
aws_kinesis_stream.main_stream: Creating...
aws_iam_role.kinesis_role: Creating...
aws_kinesis_stream.log_stream: Creating...
aws_kinesis_stream.status_stream: Creating...
aws_s3_bucket.messages_bucket: Creating...
aws_iam_role.kinesis_role: Creation complete after 1s [id=ecoplant_kinesis_role]
aws_iam_role.firehose_role: Creation complete after 1s [id=ecoplant_firehose_role]
aws_iam_role.glue_role: Creation complete after 1s [id=ecoplant_glue_role]
aws_iam_policy.ecoplant_policy: Creation complete after 2s [id=arn:aws:iam::173115710334:policy/ecoplant-policy]
aws_iam_role_policy_attachment.attachment: Creating...
aws_iam_role_policy_attachment.attachment: Creation complete after 2s [id=ecoplant_kinesis_role-20200401150055588200000001]
aws_kinesis_stream.self_ping_stream: Still creating... [10s elapsed]
aws_kinesis_stream.sample_stream: Still creating... [10s elapsed]
aws_kinesis_stream.main_stream: Still creating... [10s elapsed]
aws_kinesis_stream.log_stream: Still creating... [10s elapsed]
aws_kinesis_stream.status_stream: Still creating... [10s elapsed]
aws_s3_bucket.messages_bucket: Still creating... [10s elapsed]
aws_s3_bucket.messages_bucket: Creation complete after 16s [id=ecoplant-messages-test-bucket]
aws_glue_catalog_table.glue_status_table: Creating...
aws_glue_catalog_table.glue_sample_table: Creating...
aws_glue_catalog_table.glue_self_ping_table: Creating...
aws_glue_catalog_table.glue_log_table: Creating...
aws_glue_catalog_table.glue_self_ping_table: Creation complete after 2s [id=173115710334:default:self_ping_table]
aws_glue_catalog_table.glue_status_table: Creation complete after 2s [id=173115710334:default:status_table]
aws_glue_catalog_table.glue_sample_table: Creation complete after 2s [id=173115710334:default:sample_table]
aws_glue_catalog_table.glue_log_table: Creation complete after 2s [id=173115710334:default:log_table]
aws_kinesis_stream.self_ping_stream: Still creating... [20s elapsed]
aws_kinesis_stream.sample_stream: Still creating... [20s elapsed]
aws_kinesis_stream.main_stream: Still creating... [20s elapsed]
aws_kinesis_stream.log_stream: Still creating... [20s elapsed]
aws_kinesis_stream.status_stream: Still creating... [20s elapsed]
aws_kinesis_stream.self_ping_stream: Still creating... [30s elapsed]
aws_kinesis_stream.sample_stream: Still creating... [30s elapsed]
aws_kinesis_stream.main_stream: Still creating... [30s elapsed]
aws_kinesis_stream.log_stream: Still creating... [30s elapsed]
aws_kinesis_stream.status_stream: Still creating... [30s elapsed]
aws_kinesis_stream.self_ping_stream: Still creating... [40s elapsed]
aws_kinesis_stream.sample_stream: Still creating... [40s elapsed]
aws_kinesis_stream.main_stream: Still creating... [40s elapsed]
aws_kinesis_stream.log_stream: Still creating... [40s elapsed]
aws_kinesis_stream.status_stream: Still creating... [40s elapsed]
aws_kinesis_stream.log_stream: Creation complete after 47s [id=arn:aws:kinesis:us-east-2:173115710334:stream/log_stream]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Creating...
aws_kinesis_stream.main_stream: Creation complete after 47s [id=arn:aws:kinesis:us-east-2:173115710334:stream/ecoplant_messages]
aws_kinesis_stream.self_ping_stream: Creation complete after 48s [id=arn:aws:kinesis:us-east-2:173115710334:stream/self_ping_stream]
aws_kinesis_stream.status_stream: Creation complete after 48s [id=arn:aws:kinesis:us-east-2:173115710334:stream/status_stream]
aws_kinesis_stream.sample_stream: Creation complete after 48s [id=arn:aws:kinesis:us-east-2:173115710334:stream/sample_stream]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Still creating... [10s elapsed]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Still creating... [20s elapsed]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Still creating... [30s elapsed]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Still creating... [40s elapsed]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Still creating... [50s elapsed]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Still creating... [1m0s elapsed]

Error: error creating Kinesis Firehose Delivery Stream: InvalidArgumentException: Firehose is unable to assume role arn:aws:iam::173115710334:role/ecoplant_kinesis_role. Please check the role provided.

  on ecoplant_firehose.tf line 105, in resource "aws_kinesis_firehose_delivery_stream" "log_stream_firehose":
 105: resource "aws_kinesis_firehose_delivery_stream" "log_stream_firehose" {
amazon-web-services
terraform
amazon-kinesis
amazon-kinesis-firehose
EN

回答 1

Stack Overflow用户

发布于 2020-04-02 10:07:37

您指定的AWS服务似乎不正确。

代码语言:javascript
复制
data "aws_iam_policy_document" "allow_assume_firehose" {
  statement {
    sid    = "${replace("${title(var.PROJECT)}${title(var.ENV)}AllowAssumeFirehoseForS3", "/[-_.]/", "")}"
    principals {
      type = "Service"
      identifiers = [
        "firehose.amazonaws.com"     <--------------------- NOT kinesis but firehose
      ]
    }
    effect = "Allow"
    actions = [
      "sts:AssumeRole"
    ]
    condition {
      test = "StringEquals"
      variable = "sts:ExternalId"
      values = [
        "${data.aws_caller_identity.current.account_id}"
      ]
    }
  }
}
票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/60972315

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档