2

我目前正在尝试自动化 AWS 帐户预置,其中一个步骤是使用身份提供者(用于联合用户访问)创建 IAM ROLE。我搜索并检查了 Terraform 文档,但找不到有关创建此类角色或将提供者附加到角色的任何信息。我可以很好地创建两者,但它们是独立的。这是代码的一部分:

resource "aws_iam_saml_provider" "default" {
  name                   = "ADFS-TEST"
  saml_metadata_document = "${file("../../FederationMetadata.xml")}"
}

resource "aws_iam_role" "role" {
    name = "test-Admins"
}
4

2 回答 2

4

想通了。这是完整的块

resource "aws_iam_saml_provider" "test" {
  name                   = "ADFS-TEST"
  saml_metadata_document = "${file("../../FederationMetadata.xml")}"
}

resource "aws_iam_role" "role" {
    name = "ADFStest-Admins"
    assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Federated": "${aws_iam_saml_provider.test.arn}"
      },
      "Action": "sts:AssumeRoleWithSAML",
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    }
  ]
}
EOF

}

resource "aws_iam_role_policy" "admins" {
    name        = "Admin-Policy"
    #description = "A test policy"
    role = "${aws_iam_role.role.id}"
    policy = <<EOF
{
  "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "*",
        "Resource": "*"
      }
  ]
}
EOF
}
于 2018-01-25T17:06:25.160 回答
0

谢谢!这个对我有用。

我只是将 aws_iam_role_policy 更改为使用 aws_iam_role_policy_attachment:

resource "aws_iam_role_policy_attachment" "attach" {
    role = "${aws_iam_role.role.name}"
    policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
于 2018-07-12T18:29:53.347 回答