我正在通过 Terraform 创建一个使用 Hashicorp AWS Step Function 模块的阶跃函数。我已指定要使用的步骤函数的现有角色,而不是从服务集成生成角色。但是,我收到以下错误:
Error: creating Step Functions State Machine (<step func name>): AccessDeniedException: '<step func arn>' is not authorized to create managed-rule.
该角色的主体为“states.amazonaws.com”。看起来相关的权限(即忽略调用 lambda 函数、粘合作业等的权限)是:
操作:(我从更精细的权限开始)
资源:
行动:
资源:
我确实尝试使用服务集成,但由于某种原因,我收到一条错误消息,指出我提供的密钥与服务集成列表不匹配(据我所知,它们完全相同)。
我在网上找不到答案,因此我们将不胜感激!谢谢你
编辑-添加代码:
module "step-function-crawler-execution" {
source = "[email protected]:Schroders-Personal-Wealth/terraform-shared-library.git//services/step-functions?ref=steps-func-0.1.0"
name = local.state_machine_def.crawler_wrapper.name
type = var.stepfunc_type
definition = jsonencode(local.state_machine_def.crawler_wrapper.definition)
publish = var.stepfunc_publish
create_role = false
use_existing_role = true
role_arn = module.stepfunc-iam-role.arn
attach_policies_for_integrations = false
tags = var.service_tags
}
IAM 角色:
module "stepfunc-iam-role" {
source = "cloudposse/iam-role/aws"
version = "0.16.2"
enabled = true
name = "${var.env}-${var.stepfunc_role_name}"
principals = {
"Service" = ["states.eu-west-1.amazonaws.com"]
}
assume_role_actions = [
"sts:AssumeRole", "sts:TagSession"
]
managed_policy_arns = [
"arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole"
]
permissions_boundary = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/permissions-boundary"
policy_document_count = 7
policy_documents = [
data.aws_iam_policy_document.glue_perms.json,
data.aws_iam_policy_document.glue_crawler_perms.json,
data.aws_iam_policy_document.lambda_perms.json,
data.aws_iam_policy_document.statemachine_perms.json,
data.aws_iam_policy_document.ddb_perms.json,
data.aws_iam_policy_document.log_perms.json,
data.aws_iam_policy_document.event_perms.json,
]
policy_description = var.stepfunc_policy_desc
role_description = var.stepfunc_role_desc
tags = var.service_tags
}
权限:
data "aws_iam_policy_document" "event_perms" {
statement {
sid = "EB_perms"
effect = "Allow"
actions = [
"events:*"
]
resources = [
"*"
]
}
}
data "aws_iam_policy_document" "statemachine_perms" {
statement {
sid = ""
effect = "Allow"
actions = [
"states:Describe*",
"states:Create*",
"states:Update*",
"states:List*",
"states:Start*",
"states:StopExecution"
]
resources = [
module.step-function-crawler-execution.state_machine_arn,
module.step-function-schema-validation.state_machine_arn,
module.step-function-cleanzone.state_machine_arn
]
}
}
data "aws_iam_policy_document" "lambda_perms" {
statement {
sid = ""
effect = "Allow"
actions = [
"lambda:InvokeFunction"
]
resources = [
< arns >
]
}
}
data "aws_iam_policy_document" "s3_perms" {
statement {
sid = "rawzoneS3"
effect = "Allow"
resources = [
< arns >
]
actions = [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:DeleteObject",
]
}
}
data "aws_iam_policy_document" "glue_perms" {
statement {
sid = ""
effect = "Allow"
resources = [
< arns >
]
actions = [
"glue:GetTableVersion",
"glue:GetTableVersions",
"glue:GetTable",
"glue:GetTables",
"glue:GetPartitions",
"glue:GetCrawler",
"glue:GetCrawlers",
"glue:GetJob",
"glue:GetJobs",
"glue:GetJobRun",
"glue:GetJobRuns",
"glue:GetCrawlerMetrics",
"glue:StartCrawler",
"glue:StartJobRun",
"glue:DeleteTable"
]
}
}
data "aws_iam_policy_document" "ddb_perms" {
statement {
sid = ""
effect = "Allow"
resources = [
< arns >
]
actions = [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:Query",
"dynamodb:UpdateTable",
"dynamodb:GetItem",
]
}
}
data "aws_iam_policy_document" "ssm_perms" {
statement {
sid = ""
effect = "Allow"
resources = [
"*"
]
actions = [
"ssm:GetParametersByPath",
"ssm:GetParameters",
"ssm:GetParameter"
]
}
}
data "aws_iam_policy_document" "log_perms" {
statement {
sid = ""
effect = "Allow"
resources = [
"*"
]
actions = [
"cloudwatch:Put*",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:CreateLogGroup",
]
}
}
data "aws_iam_policy_document" "glue_crawler_perms" {
statement {
sid = ""
effect = "Allow"
resources = [
"arn:aws:glue:${var.region}:${var.deploy_account_id}:*"
]
actions = [
"glue:CreateDatabase",
"glue:CreateTable",
"glue:GetDatabase",
"glue:GetTable",
"glue:GetConnection",
"glue:GetPartitions",
"glue:UpdateTable"
]
}
}
我最终发现,如果我在应用步骤函数之前应用 IAM 角色,它就可以工作。
resources = [
"*"
]
如果您不指定某些区域和帐户限制,那么它将尝试为所有 AWS 创建托管规则 - 但您无法做到这一点。 AWS 创建了一些用于直接服务集成的策略,这可能与之有关:https://docs.aws.amazon.com/step-functions/latest/dg/service-integration-iam-templates.html(现在链接在错误消息中)。