问题
What's the limit for roles to a single instance? I see there's a limit of 20 policies per role and my policies are very granular.
Can I have multiple roles or multiple profiles attached to my one instance?
I believe the answer is no and that my present design is blocked by AWS for a very good reason which means I need to rethink the policies. I'm using terraform modules and a policy per module seemed like a good separation of concerns but AWS seems to disagree.
回答1:
According to Terraform Docs an instance can have 1 profile linking 1 role to the instance (up to 20 policies -> 1 profile -> 1 roles -> many instances). So, if there are too many policies you can follow on of these paths:
split the responsibilities across different group of instances with a different role assigned to each group. This will allow 20 policies attached to group A's instance role and 20 other policies attached to group B's instance role.
consolidate the many smaller policies into a fewer larger policies which are then attached to a role which becomes the instance role via a profile.
roles - (Deprecated) A list of role names to include in the profile. The current default is 1. If you see an error message similar to Cannot exceed quota for InstanceSessionsPerInstanceProfile: 1, then you must contact AWS support and ask for a limit increase. WARNING: This is deprecated since version 0.9.3 (April 12, 2017), as >= 2 roles are not possible. See issue #11575.
来源:https://stackoverflow.com/questions/54184769/attach-multiple-roles-or-profiles-to-an-instance