我在使用terraform:创建步骤函数时出错
Error: Error creating Step Function State Machine: AccessDeniedException: Neither the global service principal states.amazonaws.com, nor the regional one is authorized to assume the provided role.
我尝试在资源aws_sfn_state_machine中添加dependens_on块,但没有帮助。但是,如果我将角色与步骤函数分开创建,然后在资源aws_sfn_state_machine中设置role_arn,那么一切都会正常工作。为什么?
您共享的错误消息似乎表明给定角色的假定角色策略不包括Step Functions使用的任何服务主体。角色需要一个假定角色策略,将此服务列为其允许的主体之一:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "states.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
在Terraform中,我们通常会将其设置为aws_iam_role资源的参数:
resource "aws_iam_role" "example" {
name = "stepfunctions"
assume_role_policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "states.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
})
}
然后,我们可以在aws_sfn_state_machine资源中引用该角色的ARN,它将自动创建一个依赖项,以确保Terraform在创建角色之前不会尝试创建步骤函数:
resource "aws_sfn_state_machine" "example" {
name = "my-state-machine"
role_arn = aws_iam_role.example.arn
# ...
}
不幸的是,由于AWS IAM的内部设计,有时在创建IAM对象后需要几分钟时间,该对象才能完全发挥作用。AWS API没有公开任何全面可靠的方法来检测设置更改后IAM主体何时完全正常工作,因此Terraform AWS提供商通常会尽最大努力轮询完成情况,但不能始终保证这一点。
如果您仍然在上面的配置中看到您提到的错误,我建议您在看到错误后等待10分钟,然后尝试再次运行terraform apply(而不破坏角色并重新创建它(,看看它是否有效。当然,需要运行两次Terraform才能得到所需的答案并不方便,但至少可以将延迟一致性确定为原因,从而避免花费时间调查其他可能的问题。
Depends_on可能引用了如果资源B也要创建,则应该创建资源A。它不将角色应用于状态机。role_arn是状态机使用此特定角色的显式设置。
https://www.terraform.io/docs/configuration/resources.html#depends_on-显式资源依赖
下面是阶梯函数的地形角色,希望这将有助于
#iam/state-asseme-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
#角色
data "aws_iam_policy" "AWSStepFunctionsFullAccess" {
arn = "arn:aws:iam::aws:policy/AWSStepFunctionsFullAccess"
}
data "aws_iam_policy" "CloudWatchLogsFullAccess" {
arn = "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
}
data "aws_iam_policy" "AWSLambdaRole" {
arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaRole"
}
resource "aws_iam_role" "StepFunctionQuantumRole" {
name = "CompanyNameStepFunctionRole"
assume_role_policy = file("iam/state-assume-policy.json")
}
resource "aws_iam_role_policy_attachment" "step_function_attach_policy_awsstepfunctionfullaccess" {
role = aws_iam_role.StepFunctionQuantumRole.name
policy_arn = data.aws_iam_policy.AWSStepFunctionsFullAccess.arn
}
resource "aws_iam_role_policy_attachment" "step_function_attach_policy_cloudwatchlogsfullaccess" {
role = aws_iam_role.StepFunctionQuantumRole.name
policy_arn = data.aws_iam_policy.CloudWatchLogsFullAccess.arn
}
resource "aws_iam_role_policy_attachment" "step_function_attach_policy_awslambdarole" {
role = aws_iam_role.StepFunctionQuantumRole.name
policy_arn = data.aws_iam_policy.AWSLambdaRole.arn
}
#升压功能.tf
// Create state machine for step function
resource "aws_sfn_state_machine" "sfn_state_machine" {
name = "nameofstatemachine"
role_arn = aws_iam_role.StepFunctionQuantumRole.arn
defination = <<EOF add your defination EOF
}
也可以通过指定区域来尝试。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "states.us-east-1.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "states.us-west-2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}