错误：无法假定角色“ arn：aws：iam :: << my_AWS_account_number >>：role / sudip_terraform_ec2_role”

如何解决错误：无法假定角色“ arn：aws：iam :: << my_AWS_account_number >>：role / sudip_terraform_ec2_role”

//我在客户端环境中遇到的错误

    Error: error configuring terraform AWS Provider: IAM Role (arn:aws:iam::<<my_AWS_account_number>>:role/sudip_terraform_ec2_role) cannot be assumed.

There are a number of possible causes of this - the most common are:
  * The credentials used in order to assume the role are invalid
  * The credentials do not have appropriate permission to assume the role
  * The role ARN is not valid

Error: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors
    
// "terraform init" and "terraform validate" works fine. After that,"terraform plan" gives the above error

//参考文献

https://github.com/terraform-providers/terraform-provider-aws/issues/8052

https://github.com/terraform-providers/terraform-provider-aws/issues/9869

https://github.com/hashicorp/terraform/issues/11270

https://github.com/terraform-providers/terraform-provider-aws/issues/12727

https://www.reddit.com/r/terraform/comments/drtt5y/having_trouble_with_aws_assume_role/

https://stackoverflow.com/questions/58589585/terraform-issue-with-assume-role

https://stackoverflow.com/questions/45559078/terraform-using-iam-role-assume

https://stackoverflow.com/questions/59704676/terraform-aws-assume-role

// create_ec2.tf（使用角色'sudip_terraform_ec2_role'）

provider "aws" {
  version     = "3.5.0"
  region      = "eu-west-1"    
  access_key  = "<<access_key_of_IAM_USER 'sudip_terraform'>>"
  secret_key  = "<<secret_key_of_IAM_USER 'sudip_terraform'>>"
  profile     = "sudip_terraform"
  alias       = "terraform"
  endpoints {
    sts = "https://sts.amazonaws.com"
  }
  assume_role {
    role_arn     = "arn:aws:iam::<<my_AWS_account_number>>:role/sudip_terraform_ec2_role"
    session_name = "sts:RoleSessionName"
  }
}

# chosen from the RESOURCE section in terraform 'Provider' section
resource "aws_instance" "sudip_terraform_ec2" {
  provider      = "aws.terraform"
  ami           = "ami-07d9160fa81ccffb5"
  instance_type = "t2.micro"
}

// create_ec2.tf（使用角色'sudip_terraform_ec2_role2'）

provider "aws" {
  version     = "3.5.0"
  region      = "eu-west-1"    
  access_key  = "<<access_key_of_IAM_USER 'sudip_terraform'>>"
  secret_key  = "<<secret_key_of_IAM_USER 'sudip_terraform'>>"
  profile     = "sudip_terraform"
  alias       = "terraform"
  endpoints {
    sts = "https://sts.amazonaws.com"
  }
  assume_role {
    role_arn     = "arn:aws:iam::<<my_AWS_account_number>>:role/sudip_terraform_ec2_role2"
    session_name = "sts:RoleSessionName"
  }
}

# chosen from the RESOURCE section in terraform 'Provider' section
resource "aws_instance" "sudip_terraform_ec2" {
  provider      = "aws.terraform"
  ami           = "ami-07d9160fa81ccffb5"
  instance_type = "t2.micro"
}

//不在'create_ec2.tf'中写了-这是必需的吗？我只需要创建1个EC2 instance_type

terraform {
  required_providers {
    aws = {
      source      = "hashicorp/aws"
      version     = "3.5.0"
      region      = "eu-west-1"
      access_key  = "<<access_key_of_IAM_USER 'sudip_terraform'>>"
      secret_key  = "<<secret_key_of_IAM_USER 'sudip_terraform'>>"
    }
  }
}

// sudip_terraform_ec2_role（具有“ EC2Fullaccess”和“ IAMFullaccess”权限）

{
  "Version": "2012-10-17","Statement": [
    {
      "Sid": "AssumeRole","Effect": "Allow","Principal": {
        "AWS": "arn:aws:iam::<<my_AWS_account_number>>:user/sudip_terraform"
      },"Action": "sts:AssumeRole","Condition": {}
    }
  ]
}

// sudip_terraform_ec2_role2（具有“ EC2Fullaccess”和“ IAMFullaccess”权限）

{
  "Version": "2012-10-17","Statement": [
    {
      "Effect": "Allow","Principal": {
        "AWS": "arn:aws:iam::<<my_AWS_account_number>>:root"
      },"Condition": {}
    }
  ]
}

///在ROLE'sudip_terraform_ec2_role'中，我添加了以下内联策略：

{
    "Version": "2012-10-17","Statement": [
        {
            "Effect": "Allow","Resource": "arn:aws:iam::<<my_AWS_account_no>>:role/sudip_terraform_ec2_role"
        }
    ]
}

///在ROLE'sudip_terraform_ec2_role2'中，我添加了以下内联策略：

{
    "Version": "2012-10-17","Resource": "arn:aws:iam::<<my_AWS_account_no>>:role/sudip_terraform_ec2_role2"
        }
    ]
}

// .aws / config

[default]
region = eu-west-1
output = json

[profile sudip_terraform]
source_profile = default
region = eu-west-1
output = json

// .aws /凭据

[default]
aws_access_key_id = <<access_key_of_IAM_USER 'sudip_terraform'>>
aws_secret_access_key = <<secret_key_of_IAM_USER 'sudip_terraform'>>

[sudip_terraform]
source_profile = default
role_arn = arn:aws:iam::<<my_AWS_account_number>>:role/sudip_terraform_ec2_role2
aws_access_key_id = <<access_key_of_IAM_USER 'sudip_terraform'>>
aws_secret_access_key = <<secret_key_of_IAM_USER 'sudip_terraform'>>

//命令

setx AWS_SHARED_CREDENTIALS_FILE ~/.aws/credentials

setx AWS_CONfig_FILE ~/.aws/config

setx AWS_SDK_LOAD_CONfig "true"

aws configure list --profile sudip_terraform

aws sts assume-role --role-arn "arn:aws:iam::<<my_account_no>>:role/sudip_terraform_ec2_role" --role-session-name AWSCLI-Session

aws --profile sudip_terraform sts get-caller-identity

aws iam list-users --profile sudip_terraform

//代理命令（也可以在没有代理的情况下尝试使用）

setx no_proxy .sts.amazonaws.com

set http_proxy = http://<<client_userid>>:<<client_password>>@fr0-proxylan-vip.eu.<<client_name>>.corp:3128

set https_proxy = http://<<client_userid>>:<<client_password>>@fr0-proxylan-vip.eu.<<client_name>>.corp:3128

unset http_proxy https_proxy

版权声明：本文内容由互联网用户自发贡献，该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容， 请发送邮件至 dio@foxmail.com 举报，一经查实，本站将立刻删除。