我目前有一个 IAM 角色,其附加策略如下:
data aws_iam_policy_document bucket_access {
statement {
actions = [
"s3:AbortMultipartUpload",
"s3:CreateMultipartUpload",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:PutObjectAcl",
]
resources = [
"arn:aws:s3:::bucket.domain.net/*",
]
}
statement {
actions = [
"s3:CreateMultipartUpload",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
]
resources = [
"arn:aws:s3:::bucket.domain.net",
]
}
}
resource aws_iam_policy bucket_access {
description = "Allow instances to write and delete in S3 bucket."
name_prefix = "bucket_access-"
policy = "${data.aws_iam_policy_document.bucket_access.json}"
}
resource aws_iam_role_policy_attachment gitlab_runner_bucket_access {
role = "${aws_iam_role.gitlab_runner.name}"
policy_arn = "${aws_iam_policy.bucket_access.arn}"
}
现在我想要第二个策略,允许 IAM 用户删除不同存储桶中的对象。我在同一个文件中添加了以下内容:
data aws_iam_policy_document bucket_access_with_delete {
statement {
actions = [
"s3:AbortMultipartUpload",
"s3:CreateMultipartUpload",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
]
resources = [
"arn:aws:s3:::bucket2.domain.net/*",
]
}
statement {
actions = [
"s3:CreateMultipartUpload",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
]
resources = [
"arn:aws:s3:::bucket2.domain.net",
]
}
}
resource aws_iam_policy bucket_access_with_delete {
description = "Allow instances to write and delete in S3 bucket."
name_prefix = "bucket_access_with_delete-"
policy = "${data.aws_iam_policy_document.bucket_access_with_delete.json}"
}
resource aws_iam_role_policy_attachment gitlab_runner_bucket_access_width_delete {
role = "${aws_iam_role.gitlab_runner.name}"
policy_arn = "${aws_iam_policy.bucket_access_with_delete.arn}"
}
它实际上是相同的,但我做了以下更改:
1) 添加了操作“s3:DeleteObject” 2) 将存储桶更改为 bucket2.domain.net 3) 将策略和 arn 的名称更改为 _with_delete
当文件只有第一个时,它可以正常工作。当我添加我的时,它没有通过自动检查,我真的不知道为什么。由于它是远程的,我无法访问实际的调试信息,但这是在 Terraform 中添加第二个策略的正确方法吗?