0

I need to create some role policy for AWS using Terraform, the basic role works fine, but when I add S3 and logs, I get a malformed error:

aws_iam_role.lambda_exec_role_s3: Error creating IAM Role lambda_exec_role_s3: MalformedPolicyDocument: Has prohibited field Resource status code: 400

This is the role policy that is failing:

assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": "sts:AssumeRole",
        "Principal": {
            "Service": "lambda.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
    },
    {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": "arn:aws:logs:*:*:*"
    }
]
 }
  EOF

Here the working role policy:

assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": "sts:AssumeRole",
        "Principal": {
            "Service": "lambda.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
    }
]
}
4

1 回答 1

1

您不能在代入角色策略中添加实际操作。

承担角色策略用于限制如何承担角色(通过用户/EC2 实例或 ECS 任务/AWS 服务/跨账户角色等)。

您需要在策略中指定角色可以执行的实际操作,无论是在线还是在随后附加到角色的托管策略中。

于 2018-07-11T07:45:00.483 回答