如果我正在创建自定义自动缩放策略,并尝试仅限制使用KJ进行资源分配,而创建EMR自动缩放状态会失败,而不是如果我指定“ *”,那么它将正常工作。以下策略代码中缺少?
resource "aws_iam_policy" "aut_policy" {
name = "test_autoscale_policy"
#path = "/"
description = ""
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:DescribeAlarms",
"elasticmapreduce:ListInstanceGroups",
"elasticmapreduce:ModifyInstanceGroups"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticmapreduce:*:*:kj*",
"arn:aws:ec2:*:*:kj*",
"arn:aws:events:*:*:kj*",
"arn:aws:dynamodb:*:*:table/kj*",
"arn:aws:cloudwatch:*:*:kj*"]
}
]
}
EOF
}
您如何创建限制资源的AutoScaling IAM角色?
resource "aws_iam_role" "ecs_service_autoscaling_role" {
name = "autoscaling"
assume_role_policy = data.aws_iam_policy_document.allow_autoscaling_service.json
}
data "aws_iam_policy_document" "allow_autoscaling_service" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["application-autoscaling.amazonaws.com"]
}
}
}
resource "aws_iam_role_policy" "autoscaling" {
name = "autoscaling"
role = aws_iam_role.autoscaling.id
policy = data.aws_iam_policy_document.autoscaling.json
}
data "aws_iam_policy_document" "autoscaling" {
statement {
effect = "Allow"
actions = [
"ecs:DescribeServices",
"ecs:UpdateService",
"cloudwatch:DescribeAlarms",
]
resources = ["*"]
}
}
您可以在此处了解有关服务自动扩展及其要求的更多信息:https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-auto-scaling.html
您还可以使用特定的服务链接角色来更精确地控制您如何允许AWS Services访问资源: