我正在尝试将角色应用于 Kubernetes 服务帐户,作为其中的一部分,我正在尝试转换以下 json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Federated": "${oidc_arn}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${oidc_url}:sub": "system:serviceaccount:${k8s_namespace}:${role_name}",
"${oidc_url}:aud": "sts.amazonaws.com"
}
}
}]
}
进入盐酸
variable "pod_iam_role_name" {
default = "PodAssumeRole"
}
variable "instance_manager_namespace" {
default = "instance-manager"
}
resource "aws_iam_role" "pod_role" {
name = var.pod_iam_role_name
path = "/"
assume_role_policy = aws_iam_policy.pod_role.arn
force_detach_policies = false
}
resource "aws_iam_policy" "pod_role" {
name = "PodAssumeRolePolicy"
path = "/"
policy = data.aws_iam_policy_document.pod_role.json
}
data "aws_iam_policy_document" "pod_role" {
version = "2012-10-17"
statement {
sid = "PodAssumeRole"
effect = "Allow"
principals {
type = "Service"
identifiers = [
module.eks.oidc_provider_arn
]
}
actions = [
"sts:AssumeRoleWithWebIdentity",
]
condition {
test = "StringEquals"
values = [
"${module.eks.cluster_oidc_issuer_url}:aud"
]
variable = "sts.amazonaws.com"
}
condition {
test = "StringEquals"
values = [
"${module.eks.cluster_oidc_issuer_url}:sub"
]
variable = "system:serviceaccount:${var.instance_manager_namespace}:${var.pod_iam_role_name}"
}
}
}
但我收到以下错误
Error: error creating IAM policy PodAssumeRolePolicy: MalformedPolicyDocument: The policy failed legacy parsing
status code: 400, request id: 47efe363-c069-46b6-bd7e-51d9f6032969
on ../../modules/k8s/openid.tf line 32, in resource "aws_iam_policy" "pod_role":
32: resource "aws_iam_policy" "pod_role" {
为了学分和充分披露,我可以告知我正在关注本教程。