我有一个情况。
我已将 AWS Organizations 的管理员权限委派给 AWS Backup 账户。这使我能够创建和修改 AWS Backup 策略,这正是我所需要的。 但是,我在尝试在 AWS Backup 账户中使用 Terraform 创建策略时遇到了问题。我收到错误消息 “AccessDeniedException:您无权访问此资源。” 我已向委派管理员授予根用户和 Terraform 的 AWS Organizations 策略从 AWS 主账户的访问权限。
你有什么想法吗?
000000000000 -> AWS 备份账户
111111111111 -> AWS 主账户
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowOrganizationsRead",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:user/Terraform",
"arn:aws:iam::000000000000:root"
]
},
"Action": [
"organizations:Describe*",
"organizations:List*"
],
"Resource": "*"
},
{
"Sid": "AllowBackupPoliciesCreation",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:user/Terraform",
"arn:aws:iam::000000000000:root"
]
},
"Action": "organizations:CreatePolicy",
"Resource": "*",
"Condition": {
"StringEquals": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
},
{
"Sid": "AllowBackupPoliciesModification",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:user/Terraform",
"arn:aws:iam::000000000000:root"
]
},
"Action": [
"organizations:DescribePolicy",
"organizations:UpdatePolicy",
"organizations:DeletePolicy"
],
"Resource": "arn:aws:organizations::352286888395:policy/*/backup_policy/*",
"Condition": {
"StringEquals": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
},
{
"Sid": "AllowBackupPoliciesAttachmentAndDetachmentToAllAccountsAndOUs",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:user/Terraform",
"arn:aws:iam::000000000000:root"
]
},
"Action": [
"organizations:AttachPolicy",
"organizations:DetachPolicy"
],
"Resource": [
"arn:aws:organizations::111111111111:root/*",
"arn:aws:organizations::111111111111:ou/*",
"arn:aws:organizations::111111111111:account/*",
"arn:aws:organizations::111111111111:policy/*/backup_policy/*"
],
"Condition": {
"StringEquals": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
}
]
}
长话短说:从AWS控制台我可以创建策略,但从Terraform我收到这个错误
谢谢你。
问题是由于这个愚蠢的标签政策,它们没有被添加:
"organizations:TagResource",
"organizations:UntagResource"
就像这样工作:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowOrganizationsRead",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:root"
]
},
"Action": [
"organizations:Describe*",
"organizations:List*"
"organizations:TagResource",
"organizations:UntagResource"
],
"Resource": "*"
},
{
"Sid": "AllowBackupPoliciesCreation",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:root"
]
},
"Action": "organizations:CreatePolicy",
"Resource": "*",
"Condition": {
"StringEquals": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
},
{
"Sid": "AllowBackupPoliciesModification",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:root"
]
},
"Action": [
"organizations:DescribePolicy",
"organizations:UpdatePolicy",
"organizations:DeletePolicy"
],
"Resource": "arn:aws:organizations::352286888395:policy/*/backup_policy/*",
"Condition": {
"StringEquals": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
},
{
"Sid": "AllowBackupPoliciesAttachmentAndDetachmentToAllAccountsAndOUs",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:root"
]
},
"Action": [
"organizations:AttachPolicy",
"organizations:DetachPolicy"
],
"Resource": [
"arn:aws:organizations::111111111111:root/*",
"arn:aws:organizations::111111111111:ou/*",
"arn:aws:organizations::111111111111:account/*",
"arn:aws:organizations::111111111111:policy/*/backup_policy/*"
],
"Condition": {
"StringEquals": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
}
]
}