设置Terraform中的IAM策略

huangapple
go评论69阅读模式
英文:

Setting IAM Policy within Terraform

问题

我在按照Terraform文档设置IAM策略时遇到了问题。
在尝试将此策略分配给我的S3存储桶时,使用databricks提供的文档 返回了以下错误消息
策略文档不应指定主体。

您可以使用以下代码部分进行复制:

resource "aws_iam_policy" "databricks_bucket_policy" {
  name        = "databrick_bucket_policy"
  path        = "/"
  description = "A policy for Databricks S3 Bucket"

  # Terraform的"jsonencode"函数将Terraform表达式结果转换为有效的JSON语法。
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Principal" : {
          "AWS" : [
            "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
            "arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/<THIS_ROLE_NAME>"
          ]
        },
        "Action" : "sts:AssumeRole",
        "Condition" : {
          "StringEquals" : {
            "sts:ExternalId" : "<DATABRICKS_ACCOUNT_ID>"
          }
        }
      }
    ]
  })
}

我尝试按照此Terraform文档操作,但没有完全理解。 如果有人能够澄清如何完成此操作,我将不胜感激。

英文:

I am having troubles setting an IAM Policy following documentation on Terraform.
While trying to assign a this policy to my S3 Bucket using this documentation from databricks

the following error is being returned
Policy document should not specify a principal.

You may reproduce using the following code section

resource &quot;aws_iam_policy&quot; &quot;databricks_bucket_policy&quot; {
  name        = &quot;databrick_bucket_policy&quot;
  path        = &quot;/&quot;
  description = &quot;A policy for Databricks S3 Bucket&quot;

  # Terraform&#39;s &quot;jsonencode&quot; function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    &quot;Version&quot; : &quot;2012-10-17&quot;,
    &quot;Statement&quot; : [
      {
        &quot;Effect&quot; : &quot;Allow&quot;,
        &quot;Principal&quot; : {
          &quot;AWS&quot; : [
            &quot;arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL&quot;,
            &quot;arn:aws:iam::&lt;YOUR_AWS_ACCOUNT_ID&gt;:role/&lt;THIS_ROLE_NAME&gt;&quot;
          ]
        },
        &quot;Action&quot; : &quot;sts:AssumeRole&quot;,
        &quot;Condition&quot; : {
          &quot;StringEquals&quot; : {
            &quot;sts:ExternalId&quot; : &quot;&lt;DATABRICKS_ACCOUNT_ID&gt;&quot;
          }
        }
      }
    ]
  })
}

I've tried following this terraform doc but it is not fully understood. I would appreciate if someone could clarify on how this can be done.

答案1

得分: 3

你正在尝试创建一个aws_iam_policy资源并将其分配给一个S3存储桶,但你只能将aws_s3_bucket_policy分配给一个存储桶。IAM策略分配给用户或角色,因此在IAM策略中从不指定主体,因为它直接分配给应用于的主体。

相比之下,资源策略(如S3存储桶策略)分配给一个资源,你可以指定授予或拒绝访问该资源的主体。

现在,查看Databricks文档,似乎在文档的第3步中提供给你的是信任关系。第4步包含IAM策略。他们还指导你创建IAM角色,而不是S3存储桶策略。

看起来你被指示创建一个Databricks可以假定的IAM角色,该角色允许Databricks访问你帐户中的S3存储桶。根本不需要创建S3存储桶策略。

你的Terraform代码应该如下所示:

resource "aws_iam_role" "databricks_role" {
  name = "databricks_role"

  assume_role_policy = jsonencode(
    # 步骤3中的JSON在此处
  )
}

resource "aws_iam_policy" "databricks_role_policy" {
  name        = "databricks_role_policy"
  path        = "/"
  description = "Databricks IAM角色的策略"

  policy = jsonencode(
    # 步骤4中的JSON在此处
  )
}

resource "aws_iam_role_policy_attachment" "databricks_role" {
  role       = aws_iam_role.databricks_role.name
  policy_arn = aws_iam_policy.databricks_role_policy.arn
}
英文:

You are trying to create an aws_iam_policy resource and assign it to an S3 bucket, but you can only assign an aws_s3_bucket_policy to a bucket. An IAM policy is assigned to users or roles, so you never specify a principal in an IAM policy because it is directly assigned to the principal it is applied to.

By contrast a resource policy, such as the S3 bucket policy, is assigned to a resource, and you specify the principals that you are granting or denying access to the resource.

Now, looking at the Databricks documentation, it appears what they are giving you in step 3 of the documentation is a trust relationship. Step 4 has the IAM policy. They are also instructing you to create an IAM Role, not an S3 bucket policy.

It appears that what you are being instructed to do is create an IAM role that Databricks can assume, that gives Databricks access to the S3 bucket in your account. You are not being instructed to create an S3 bucket policy at all.

Your Terraform should look like this:

resource &quot;aws_iam_role&quot; &quot;databricks_role&quot; {
  name = &quot;databricks_role&quot;

  assume_role_policy = jsonencode(
    # The JSON from Step 3 goes here
  )
}

resource &quot;aws_iam_policy&quot; &quot;databricks_role_policy&quot; {
  name        = &quot;databrick_role_policy&quot;
  path        = &quot;/&quot;
  description = &quot;A policy for Databricks IAM Role&quot;

  policy = jsonencode(
    # The JSON from Step 4 goes here
  )
}

resource &quot;aws_iam_role_policy_attachment&quot; &quot;databricks_role&quot; {
  role       = aws_iam_role.databricks_role.name
  policy_arn = aws_iam_policy.databricks_role_policy.arn
}

huangapple
  • 本文由 发表于 2023年1月8日 21:55:29
  • 转载请务必保留本文链接:https://go.coder-hub.com/75048301.html
  • amazon-web-services
  • terraform
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定