0

我正在尝试将角色应用于 Kubernetes 服务帐户,作为其中的一部分,我正在尝试转换以下 json

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {
            "Federated": "${oidc_arn}"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
            "StringEquals": {
                "${oidc_url}:sub": "system:serviceaccount:${k8s_namespace}:${role_name}",
                "${oidc_url}:aud": "sts.amazonaws.com"
            }
        }
    }]
}

进入盐酸

variable "pod_iam_role_name" {
  default = "PodAssumeRole"
}

variable "instance_manager_namespace" {
  default = "instance-manager"
}

resource "aws_iam_role" "pod_role" {
  name = var.pod_iam_role_name
  path = "/"
  assume_role_policy = aws_iam_policy.pod_role.arn
  force_detach_policies = false
}

resource "aws_iam_policy" "pod_role" {
  name = "PodAssumeRolePolicy"
  path = "/"
  policy = data.aws_iam_policy_document.pod_role.json
}

data "aws_iam_policy_document" "pod_role" {
  version = "2012-10-17"
  statement {
    sid = "PodAssumeRole"
    effect = "Allow"

    principals {
      type = "Service"
      identifiers = [
        module.eks.oidc_provider_arn
      ]
    }

    actions = [
      "sts:AssumeRoleWithWebIdentity",
    ]

    condition {
      test = "StringEquals"
      values = [
        "${module.eks.cluster_oidc_issuer_url}:aud"
      ]
      variable = "sts.amazonaws.com"
    }

    condition {
      test = "StringEquals"
      values = [
        "${module.eks.cluster_oidc_issuer_url}:sub"
      ]
      variable = "system:serviceaccount:${var.instance_manager_namespace}:${var.pod_iam_role_name}"
    }
  }
}

但我收到以下错误

Error: error creating IAM policy PodAssumeRolePolicy: MalformedPolicyDocument: The policy failed legacy parsing
    status code: 400, request id: 47efe363-c069-46b6-bd7e-51d9f6032969

  on ../../modules/k8s/openid.tf line 32, in resource "aws_iam_policy" "pod_role":
  32: resource "aws_iam_policy" "pod_role" {

为了学分和充分披露,我可以告知我正在关注教程。

4

2 回答 2

0

你可以尝试这样的事情:

  • aws_iam_policy(只需更新 json 的路径)
resource "aws_iam_policy" "pod_role" {
  name = "PodAssumeRolePolicy"
  path = "/"
  policy = templatefile("${path.module}/foo/policy.json", {
    oidc_arn      = module.eks.oidc_provider_arn
    oidc_url      = module.eks.cluster_oidc_issuer_url
    k8s_namespace = var.instance_manager_namespace
    role_name     = var.pod_iam_role_name
  })
}
  • 你原来的json
{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {
            "Federated": "${oidc_arn}"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
            "StringEquals": {
                "${oidc_url}:sub": "system:serviceaccount:${k8s_namespace}:${role_name}",
                "${oidc_url}:aud": "sts.amazonaws.com"
            }
        }
    }]
}
于 2021-07-07T21:21:25.777 回答
0

assume_role_policy应该是json。所以假设其他一切都是正确的,它应该是:

assume_role_policy = data.aws_iam_policy_document.pod_role.json
于 2021-07-07T11:48:54.533 回答