我正在尝试使用策略创建以下IAM角色 . 角色附加到Lambda .
resource "aws_lambda_function" "lambda" {
function_name = "test"
s3_bucket = "${aws_s3_bucket.deployment_bucket.id}"
s3_key = "${var.deployment_key}"
handler = "${var.function_handler}"
runtime = "${var.lambda_runtimes[var.desired_runtime]}"
role = "${aws_iam_role.lambda_role.arn}"
}
resource "aws_iam_role" "lambda_role" {
name = "test-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy" "lambda_policy" {
name = test-policy"
role = "${aws_iam_role.lambda_role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"xray:PutTelemetryRecords",
"xray:PutTraceSegments",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
我从附加了IAM角色的EC2实例运行 terraform apply
. IAM角色具有AdministratorAccess,可以使用Terraform部署VPC和EC2而不会出现任何问题 . 当我尝试创建上面的IAM角色和策略但它失败并出现 InvalidClientTokenId
错误 .
aws_iam_role.lambda_role:创建IAM角色测试角色时出错:InvalidClientTokenId:请求中包含的安全令牌无效
然后,我生成了一组访问密钥凭证并对其进行了硬编码,但仍然失败了 . 在创建IAM角色时,我需要做些什么特别的事情吗?我从这台机器运行的任何其他 terraform apply
命令工作正常,直到我需要创建一个IAM角色 .