问题描述
当我尝试使用 CloudFormation 创建弹性 beanstalk 应用程序时,资源创建失败:
Insufficient privileges for IAM PassRole Action. (Service: AWSElasticBeanstalk; Status Code: 403; Error Code: InsufficientPrivilegesException; Request ID: [...]; Proxy: null)
我该如何解决这个问题?
CloudFormation 模板:
BeanStalkServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: elasticbeanstalk.amazonaws.com
Condition:
StringEquals:
'sts:ExternalId': elasticbeanstalk
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy
- arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth
BeanStalkApplication:
Type: AWS::ElasticBeanstalk::Application
Properties:
Description: Java Backend
ResourceLifecycleConfig:
ServiceRole: !Ref BeanStalkServiceRole
VersionLifecycleConfig:
MaxAgeRule:
DeleteSourceFromS3: true
Enabled: true
MaxAgeInDays: 30
解决方法
ServiceRole 属性必须指向角色 ARN,即 !GetAtt BeanStalkServiceRole.Arn 而不是 !Ref BeanStalkServiceRole:
BeanStalkApplication:
Type: AWS::ElasticBeanstalk::Application
Properties:
Description: Java Backend
ResourceLifecycleConfig:
ServiceRole: !GetAtt BeanStalkServiceRole.Arn
VersionLifecycleConfig:
MaxAgeRule:
DeleteSourceFromS3: true
Enabled: true
MaxAgeInDays: 30
感谢https://github.com/hashicorp/terraform-provider-aws/issues/17576