在我的地形脚本中,我有以下资源-
resource "aws_api_gateway_account" "demo" {
cloudwatch_role_arn = var.apigw_cloudwatch_role_arn
}
在应用阶段,我看到以下错误-
2020/09/21 20:20:48 [ERROR] <root>: eval: *terraform.EvalApplyPost, err: Updating API Gateway Account failed: AccessDeniedException:
status code: 403, request id: abb0662e-ead2-4d95-b987-7d889088a5ef
是否有特定的权限需要附加到角色才能消除此错误?
遇到与@bdev03相同的问题,我花了2天时间才确定缺少的权限是"iam:PassRole";,如果地形能够指出这一点,那就太好了,希望这能有所帮助。
由于这个线程(到目前为止(和官方文档都没有很好地解决这个问题。。。此操作所需的最低策略是:
{
"Sid": "AllowPassingTheRoleToApiGateway",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": ["apigateway.amazonaws.com"]
}
}
}
{
"Sid": "AllowAPIGatewayUpdate",
"Effect": "Allow",
"Action": [
"apigateway:UpdateRestApiPolicy",
"apigateway:PATCH",
"apigateway:GET"
],
"Resource": "*"
}
我还没有测试过,但我相信这个角色需要下面显示的内容。请参阅来源处的更多上下文:";为了启用CloudWatch日志";位于的部分https://docs.aws.amazon.com/apigateway/latest/developerguide/stages.html
对于常见的应用程序场景,IAM角色可以将AmazonAPIGatewayPushToCloudWatchLogs的托管策略,其中包含以下访问策略声明:
{"版本":"2012-10-17";,"声明":[{"效果":"允许";,"动作":["logs:CreateLogGroup";,"logs:CreateLogStream";,"logs:DescribeLogGroups";,"logs:DescribeLogStreams";,"logs:PutLogEvents";,"logs:GetLogEvents";,"logs:FilterLogEvents";],"资源":"}]}
IAM角色还必须包含以下信任关系声明:
{"版本":"2012-10-17","声明":[{"Sid":";,"效果":"允许";,"委托人":{"服务":"apigateway.amazonaws.com";},"动作":"sts:AsseumeRole;}]}