#amazon-elastic-beanstalk #amazon-cloudformation #amazon-iam
Вопрос:
Когда я пытаюсь создать эластичное приложение beanstalk с помощью CloudFormation, создание ресурса завершается неудачно:
Insufficient privileges for IAM PassRole Action. (Service: AWSElasticBeanstalk; Status Code: 403; Error Code: InsufficientPrivilegesException; Request ID: [...]; Proxy: null)
Как я могу это исправить?
Шаблон облачной информации:
BeanStalkServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: elasticbeanstalk.amazonaws.com
Condition:
StringEquals:
'sts:ExternalId': elasticbeanstalk
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy
- arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth
BeanStalkApplication:
Type: AWS::ElasticBeanstalk::Application
Properties:
Description: Java Backend
ResourceLifecycleConfig:
ServiceRole: !Ref BeanStalkServiceRole
VersionLifecycleConfig:
MaxAgeRule:
DeleteSourceFromS3: true
Enabled: true
MaxAgeInDays: 30
Ответ №1:
ServiceRole Атрибут должен указывать на роль ARN, т. е. !GetAtt BeanStalkServiceRole.Arn вместо !Ref BeanStalkServiceRole :
BeanStalkApplication:
Type: AWS::ElasticBeanstalk::Application
Properties:
Description: Java Backend
ResourceLifecycleConfig:
ServiceRole: !GetAtt BeanStalkServiceRole.Arn
VersionLifecycleConfig:
MaxAgeRule:
DeleteSourceFromS3: true
Enabled: true
MaxAgeInDays: 30
Благодаря https://github.com/hashicorp/terraform-provider-aws/issues/17576