亚马逊网络服务系统管理器GetParameters权限被隐式拒绝

Question

我正在尝试为eks设置eksctl，但是它抛出了"Error: unable to determine AMI to use: error getting AMI from SSM Parameter Store: AccessDeniedException: User: arn:aws:iam:::user/cnc is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1::parameter/aws/service/eks/optimized-ami/1.18/amazon-linux-2/recommended/image_id".

我使用的IAM权限策略是

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeParameters"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameters",
                "ssm:GetParametersByPath"
            ],
            "Resource": "arn:aws:ssm:::parameter/*"
        }
    ]

我还尝试使用策略模拟来检查权限，结果是“隐式拒绝(无匹配语句)”。

Answer 1

我也有同样的问题。我解决问题的方法是将区域添加到ssm资源中。还添加了一个ssm:GetParameter，如下所示：

"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action":[
            "ssm:DescribeParameters"
        ],
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action":[
            "ssm:GetParameters",
            "ssm:GetParameter",
            "ssm:GetParametersByPath"
        ],
        "Resource": "arn:aws:ssm:ca-central-1::parameter/*"
    }
]

如果您注意到我已经添加了区域ca-central 1，那么您应该将其更改为您当前的区域。

Answer 2

我认为您可能还需要授权"ssm:GetParameter“操作。