amazon-web-services - Terraform aws 承担角色

Question

我对使用 terraform 的 AWS 担当角色有疑问。

在 AWS 中，我在单个组织中拥有三个帐户:root、staging 和 production(我们只关注 root 和 staging 帐户)。 root 帐户有一个 IAM 用户 terraform(具有 AdministratorAccess 策略)，terraform 使用它来配置所有内容。

The image of organization structure

Root account ID: 111111111111
Staging account ID: 333333333333

terraform 脚本看起来像这样:

############## backend.tf

terraform {
  required_version = "0.12.19"
}


############## providers.tf
provider "aws" {
  region = "eu-west-1"

  profile = "default"
}

provider "aws" {
  version = ">= 2.44"
  region  = "eu-west-1"
  profile = "default"

  assume_role {
    role_arn = "arn:aws:iam::333333333333:role/staging-admin"
  }

  allowed_account_ids = ["333333333333"]

  alias = "staging"
}


############## organization.tf
resource "aws_organizations_account" "staging" {
  email = "staging@domain.com"
  name  = "Staging"

  parent_id = "ZZZZZ"
}



############## data.tf
data "aws_iam_policy_document" "assume_staging_role" {
  statement {
    effect    = "Allow"
    actions   = ["sts:AssumeRole"]
    resources = [
      aws_iam_role.staging.arn
    ]
  }
}

data "aws_iam_policy" "administrator_access" {
  arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}

data "template_file" "cross_admin_trust_policy" {
  template = file("templates/cross_admin_trust_policy.json")

  vars = {
    staging_account_number = aws_organizations_account.staging.id
  }
}



############## iam.tf
resource "aws_iam_role" "staging" {
  name                 = "staging-admin"
  description          = "Assumable role granting administrator permissions to the staging account"
  assume_role_policy   = data.template_file.cross_admin_trust_policy.rendered
  max_session_duration = 20000

  provider = aws.staging
}

resource "aws_iam_role_policy_attachment" "staging_admin_access" {
  role       = aws_iam_role.staging.name
  policy_arn = data.aws_iam_policy.administrator_access.arn

  provider = aws.staging_ireland
}

resource "aws_iam_role_policy_attachment" "staging_attach_assume_any_admin" {
  role       = aws_iam_role.staging.name
  policy_arn = data.aws_iam_policy.administrator_access.arn

  provider = aws.staging_ireland
}

和我的 policy.json 文件:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${staging_account_number}:role/staging-admin"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

当我执行 terraform plan 时出现此错误:

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.aws_iam_policy.administrator_access: Refreshing state...
aws_organizations_account.staging: Refreshing state... [id=333333333333]
data.template_file.cross_admin_trust_policy: Refreshing state...

Error: The role "arn:aws:iam::333333333333:role/staging-admin" cannot be assumed.

  There are a number of possible causes of this - the most common are:
    * The credentials used in order to assume the role are invalid
    * The credentials do not have appropriate permission to assume the role
    * The role ARN is not valid

  on providers.tf line 25, in provider "aws"

有人知道如何修复吗？

Answer 1

根据 https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/

1. 运行 aws sts get-caller-identity 命令来检查您的身份。

2. 运行 aws sts assume-role --role-arn arn:aws:iam::333333333333:role/staging-admin 命令以查看您的角色是否可以担任此角色身份。

3. 检查您的 IAM 角色的信任关系。您应该限制它，以便 IAM 角色只能由特定的 IAM 用户承担。

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Principal": { "AWS": "arn:aws:iam:: 333333333333:root" },
        "Action": "sts:AssumeRole"
    }
}