嗨,AWS 和 Terraform 专家,我有点生成由我们的前同事手动构建的 KMS 和 IAM 关联,我在完成下面所述的 kms 策略副本时遇到问题:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678912345:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "ALSKDJFHGNVBCMXJDH0987"
},
"Action": "kms:Decrypt",
"Resource": "*"
}
]
}
这个ALSKDJFHGNVBCMXJDH0987是一个IAM 角色,我相信它是由 AWS 控制台转换的(还不确定为什么(
{
"Effect": "Allow",
"Principal": {
"AWS": "ALSKDJFHGNVBCMXJDH0987"
},
"Action": "kms:Decrypt",
"Resource": "*"
}
我使用我创建的地形脚本收到此错误:
Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
status code: 400, request id: alsknldkj2-assd-3333-0sdc-askdjaksdjn2
on main.tf line 84, in resource "aws_kms_key" "secrets":
84: resource "aws_kms_key" "secrets" {
序列有问题吗? 还是我错过了什么?这里附上我使用的地形代码:
data "template_file" "my-lambda-policy" {
template = "${file("policy/lambda.json")}"
vars = {
SWAG = var.AWS-SWAG
STUDENT-BELONGS = var.STUDENT
STUDENT-TEACHER = var.TEACHER
ROOM = var.CLASSROOM
}
}
resource "aws_iam_policy" "my-lambda-pol" {
name = "my-lambda-policy"
policy = data.template_file.my-lambda-policy.rendered
}
data "template_file" "my-my-lambda-pol2" {
template = "${file("policy/lambda2.json")}"
}
resource "aws_iam_policy" "my-lambda-pol2" {
name = "my-my-lambda-pol2"
policy = data.template_file.my-my-lambda-pol2.rendered
}
data "template_file" "my-lambda-to-my-kms-policy" {
template = "${file("policy/kms-lambda.json")}"
vars = {
SWAG = var.AWS-SWAG
KMS_KEY_ID = aws_kms_key.mysecret.id
}
}
resource "aws_iam_policy" "lambda-to-kms" {
name = "my-lambda-to-my-kms-policy"
policy = data.template_file.my-lambda-to-my-kms-policy.rendered
}
resource "aws_iam_role" "the-lambda-role" {
name = "{STUD_CHAIR}-${STU_SEAG}-${STUDENT-BELONGS}-${STUDENT-TEACHER}"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "my-lambda-policy_attachment" {
policy_arn = aws_iam_policy.my-lambda-pol.arn
role = aws_iam_role.the-lambda-role.name
}
resource "aws_iam_role_policy_attachment" "my-lambda-pol2_attachment" {
policy_arn = aws_iam_policy.my-lambda-pol2.arn
role = aws_iam_role.the-lambda-role.name
}
resource "aws_iam_role_policy_attachment" "kms-attachment" {
depends_on = [aws_kms_key.mysecret]
policy_arn = aws_iam_policy.lambda-to-kms.arn
role = aws_iam_role.the-lambda-role.name
}
data "template_file" "my-kms-policy" {
template = "${file("policy/my-kms-policy.json")}"
vars = {
STUD_CHAIR= "${var.CHAIR}"
STU_SWAG = "${l{var.SWAG}}"
STUDENT-BELONGS = "${var.STUDENT}"
STUDENT-TEACHER = "${var.TEACHER}"
ROOM = "${var.CLASSROOM}"
}
}
resource "aws_kms_key" "mysecret" {
description = "KMS Key for ${var.STUDENT}-${var.TEACHER}-key-${var.CLASSROOM}"
policy = data.template_file.my-kms-policy.rendered
depends_on = [aws_iam_role.the-lambda-role]
}
resource "aws_kms_alias" "mysecret" {
name = "alias/${var.STUDENT}-${var.TEACHER}-key-${var.CLASSROOM}"
depends_on = [aws_iam_role.the-lambda-role]
target_key_id = aws_kms_key.mysecret.key_id
}
这就是my-kms-policy.json内部的内容
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${ROOM}:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${ROOM}:role/${STUD_CHAIR}-${STU_SEAG}-${STUDENT-BELONGS}-${STUDENT-TEACHER}"
},
"Action": "kms:Decrypt",
"Resource": "*"
}
]
}
解决方法
解决方法是运行terraform apply两次。
原因
重新创建 IAM 角色时,出于以下原因,需要更新引用此角色的策略:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html
如果您的委托人元素包含特定 IAM 角色或用户的 ARN,则在保存策略时,该 ARN 将转换为唯一的委托人 ID。这有助于降低某人通过删除和重新创建角色或用户来升级其权限的风险。您通常不会在控制台中看到此 ID,因为在显示信任策略时,还会反向转换回 ARN。但是,如果您删除角色或用户,则委托人 ID 将显示在控制台中,因为 AWS 无法再将其映射回 ARN。因此,如果您删除并重新创建信任策略的 Principal 元素中引用的用户或角色,则必须编辑该角色以替换 ARN。
首次运行 Terraform 将重新创建 IAM 角色,从而破坏策略。第二次运行它将通过将新创建的引用添加到 IAM 角色来更正策略。