Access Analyzer Service链接角色不在组织管理帐户中
Access Analyzer Service链接角色不在组织管理帐户中
提问于 2022-05-19 09:41:17
我试图通过安全帐户中的默认管理(全部是terraform)在组织级别启用IAM访问分析器。
在组织帐户的根目录中,我有:
"access-analyzer.amazonaws.com"
- 更新了aws_service_access_principals
resource "aws_organizations_organization" "org" {
feature_set = "ALL"
aws_service_access_principals = [
...
"access-analyzer.amazonaws.com"
]
enabled_policy_types = [
"SERVICE_CONTROL_POLICY"
]
}- 创建了一个
aws_organizations_delegated_administrator_for、安全帐户和aws_organizations_delegated_administrator
resource "aws_organizations_delegated_administrator" "example" {
account_id = var.security_account
service_principal = "access-analyzer.amazonaws.com"
}在安全帐户中,我启用了access-analyzer,并将type设置为organization
resource "aws_accessanalyzer_analyzer" "accessanalyzer" {
analyzer_name = "test"
type = "ORGANIZATION"
}当它运行时,我会得到错误:
Error: error creating Access Analyzer Analyzer (openc): ConflictException: Access Analyzer Service Linked Role is not in the organizational management account
│ {
│ RespMetadata: {
│ StatusCode: 409,
│ RequestID: "1c597ce0-4c59-4115-89aa-437cdc8156d5"
│ },
│ Message_: "Access Analyzer Service Linked Role is not in the organizational management account"
│ }
│
│ with aws_accessanalyzer_analyzer.accessanalyzer,
│ on access-analyzer.tf line 1, in resource "aws_accessanalyzer_analyzer" "accessanalyzer":
│ 1: resource "aws_accessanalyzer_analyzer" "accessanalyzer" {
│
╵你知道这是怎么回事吗?我想委托管理员来解决这个问题?
回答 1
Stack Overflow用户
发布于 2022-05-31 13:29:46
您缺少并需要在主“组织”帐户上创建"AWSServiceRoleForAccessAnalyzer“角色,最简单的方法是在主帐户上创建一个分析器,然后该角色将自动创建
https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html
然后尝试应用你的Terraform代码。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/72302212
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号