问题
I need to create some role policy for AWS using Terraform, the basic role works fine, but when I add S3 and logs, I get a malformed error:
aws_iam_role.lambda_exec_role_s3: Error creating IAM Role lambda_exec_role_s3: MalformedPolicyDocument: Has prohibited field Resource status code: 400
This is the role policy that is failing:
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
}
EOF
Here the working role policy:
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
回答1:
You can't add actual actions in an assume role policy.
The assume role policy is for limiting how the role can be assumed (by users/EC2 instances or ECS tasks/AWS services/cross account roles etc).
You need to specify the actual actions the role can do in a policy, either in line or in a managed policy that is then attached to the role.
来源:https://stackoverflow.com/questions/51276083/terraform-aws-role-policy-fails-when-adding-permissions