时间戳

首页 > 解决方案 > terraform中的aws iam角色ID与角色名称,何时使用哪个?

terraform - terraform中的aws iam角色ID与角色名称,何时使用哪个?

问题描述

在 terraform 的官方网站上,他们有一个这样的例子(https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy):

resource "aws_iam_role_policy" "test_policy" {
  name = "test_policy"
  role = aws_iam_role.test_role.id

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:Describe*",
        ]
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}

resource "aws_iam_role" "test_role" {
  name = "test_role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          Service = "ec2.amazonaws.com"
        }
      },
    ]
  })
}

他们通过在策略中设置角色 ID 将策略附加到角色,即:

role = aws_iam_role.test_role.id

但是在我们的一个团队项目中以这种方式设置它对我不起作用,我不断收到错误(请参阅此处的详细信息Task role defined by Terraform not working correct for ECS scheduled task)。最终,我意识到我必须在我的策略中使用这样的角色名称来设置它:

role = aws_iam_role.my_role.name

但我确实在我们的其他团队项目中看到了我的同事使用角色 ID 的实例。我想知道在 terraform 的上下文中 id 和 name 之间有什么区别以及何时使用哪个。

标签: terraformamazon-iam

解决方案

正如已经指出的,和之间没有区别。您可以通过简单地输出您的角色来检查它:idname

output "test" {
  value = aws_iam_role.test_role
}

这表明两者idname都设置为test_role

test = {
  "arn" = "arn:aws:iam::xxxxxx:role/test_role"
  "assume_role_policy" = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
  "create_date" = "2021-02-14T01:25:48Z"
  "description" = ""
  "force_detach_policies" = false
  "id" = "test_role"
  "max_session_duration" = 3600
  "name" = "test_role"
  "name_prefix" = tostring(null)
  "path" = "/"
  "permissions_boundary" = tostring(null)
  "tags" = tomap({})
  "unique_id" = "AROASZHPM3IXXHCEBQ6OD"
}

推荐阅读