我有一个具有 IAM 角色策略的用户账户,有权访问特定的 AWS Cloudwatch 控制面板。但是我无法访问它们。以下是政策和错误详情。如果我犯了任何错误,请纠正我。谢谢。
IAM 角色
resource "aws_iam_role" "app1_iam_role" {
name = "${terraform.workspace}-APP1-IAM-ROLE"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${var.aws_account_id[local.environment]}:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
EOF
}
IAM 政策
resource "aws_iam_role_policy" "app1_role_policy" {
name = "${terraform.workspace}-APP1-POLICY-DOCUMENT"
role = aws_iam_role.app1_iam_role.id
policy = <<EOF
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Resource":[
"arn:aws:logs:eu-west-2:${var.aws_account_id[local.environment]}:log-group:${local.app1_log_group_environment}-${upper(var.application_name)}-application:*",
"arn:aws:logs:eu-west-2:${var.aws_account_id[local.environment]}:log-group:${local.app1_log_group_environment}-${upper(var.application_name)}-application:log-stream:*",
]
},
{
"Effect":"Allow",
"Action":[
"cloudwatch:GetDashboard",
"cloudwatch:ListDashboards"
],
"Resource":[
"arn:aws:cloudwatch::${var.aws_account_id[local.environment]}:dashboard/*app1_application*",
"arn:aws:cloudwatch::${var.aws_account_id[local.environment]}:dashboard/*app1_infratructure*"
]
}
]
}
EOF
}
错误
To list dashboards you need cloudwatch:ListDashboards permission.
请注意,我可以访问策略中配置的日志。不确定 cloudwatch 仪表板的 arn 是否存在问题。