0

要将 Terraform 状态文件存储在 S3 存储桶中,我使用了管理员帐户凭据并进行了配置。现在我已经创建了 IAM 用户并尝试使用承担角色。假设角色附加了管理员策略。

我已经用aws sts assume-role --role-arn命令测试了这个 AIM 用户设置。我能够获取令牌并使用能够使用aws s3 ls命令访问 S3 存储桶的令牌。

现在尝试使用 IAM 用户访问/密钥和 terraform 的承担角色。当我运行terraform refresh命令时,它给出以下错误。

提供者代码:

provider "aws" {
  region  = "us-west-2"
  max_retries = 1
  assume_role {
    role_arn = var.assume_role_arn
  }

}

错误

 Error: Error acquiring the state lock
│
│ Error message: 2 errors occurred:
│       * AccessDeniedException: User: arn:aws:iam::xxxxxxxx:user/deploy is not authorized to perform: dynamodb:PutItem on resource:
│ arn:aws:dynamodb:us-west-2:xxxxxxxx:table/terraform-state-lock
│       status code: 400, request id: CV4J3JN1LD0KPDGHAOA9UL13ONVV4KQNSO5AEMVJF66Q9ASUAAJG
│       * AccessDeniedException: User: arn:aws:iam::xxxxxxxx:user/deploy is not authorized to perform: dynamodb:GetItem on resource:
│ arn:aws:dynamodb:us-west-2:xxxxxxxx:table/terraform-state-lock
│       status code: 400, request id: BISQQDU4659LLI3CEDP26T8RJ7VV4KQNSO5AEMVJF66Q9ASUAAJG
│
│
│
│ Terraform acquires a state lock to protect the state from being written
│ by multiple users at the same time. Please resolve the issue above and try
│ again. For most commands, you can disable locking with the "-lock=false"
│ flag, but this is not recommended.

为什么这在 Terraform 中不起作用如何修复此错误?

谢谢

4

1 回答 1

0

它似乎甚至没有承担这个角色,否则错误将显示为assumed-role/deploy identity.

我建议您尝试在命令行中导出AWS_SECRET_ACCESS_KEYAWS_ACCESS_KEY_ID变量,然后再次运行 Terraform。

几天前,我尝试使用 Terraform Cloud 和那里的 terraform 用户凭据,这不完全是您的情况,但它应该以相同的方式运行。

于 2022-02-07T10:41:31.133 回答