AWSUtility::CloudFormation::CommandRunner在“您没有权限进行TerminateInstances API调用”时失败
AWSUtility::CloudFormation::CommandRunner在“您没有权限进行TerminateInstances API调用”时失败
提问于 2021-11-30 23:50:59
我试图使用AWSUtility::CloudFormation::CommandRunner运行一个CloudFormation,但是它失败了
"You do not have permissions to make the TerminateInstances API call"有解决办法吗?有人在这个部件上成功了吗?
我的CF:
IopsCalculator:
Type: AWSUtility::CloudFormation::CommandRunner
Properties:
Command:
Fn::Sub: 'expr 100 \* 20 > /command-output.txt' 我在以下网站找到了这个组件:
- https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-awsutilities-commandrunner#user-installation-steps
- https://aws.amazon.com/blogs/mt/running-bash-commands-in-aws-cloudformation-templates/
并按照所列步骤:
git clone https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-awsutilities-commandrunner.git
cd aws-cloudformation-resource-providers-awsutilities-commandrunner
curl -LO https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-awsutilities-commandrunner/releases/latest/download/awsutility-cloudformation-commandrunner.zip
./scripts/register.sh --set-default我的安装结果似乎成功了:
Creating Execution Role...
Waiting for execution role stack to complete...
Waiting for execution role stack to complete...
Creating Execution Role complete.
Creating temporary S3 Bucket 0e5f0a98e79a4f6485ae30924a6b287e...
Creating temporary S3 Bucket 0e5f0a98e79a4f6485ae30924a6b287e complete.
Configuring S3 Bucket Policy for temporary S3 Bucket 0e5f0a98e79a4f6485ae30924a6b287e...
Configuring S3 Bucket Policy for temporary S3 Bucket 0e5f0a98e79a4f6485ae30924a6b287e complete.
Copying Schema Handler Package to temporary S3 Bucket 0e5f0a98e79a4f6485ae30924a6b287e...
Copying Schema Handler Package to temporary S3 Bucket 0e5f0a98e79a4f6485ae30924a6b287e complete.
Registering AWSUtility::CloudFormation::CommandRunner to AWS CloudFormation...
RegistrationToken: 13e7ec35-ea97-42d4-b0e4-b83f3f3d4da2
Waiting for registration to complete...
Waiting for registration to complete...
Waiting for registration to complete...
Waiting for registration to complete...
Waiting for registration to complete...
Registering AWSUtility::CloudFormation::CommandRunner to AWS CloudFormation complete.
Setting current version as default...
Setting current version as default complete. (Current Version is 00000007)
Cleaning up temporary S3 Bucket...
Deleting SchemaHandlerPackage from temporary S3 Bucket 0e5f0a98e79a4f6485ae30924a6b287e...
Deleting SchemaHandlerPackage from temporary S3 Bucket 0e5f0a98e79a4f6485ae30924a6b287e complete.
Cleaning up temporary S3 Bucket complete.
AWSUtility::CloudFormation::CommandRunner is ready to use.回答 1
Stack Overflow用户
回答已采纳
发布于 2021-12-05 21:05:14
第一个问题是https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-awsutilities-commandrunner.git的代码不工作.储存库被废弃了。
如果您提取正确的分支(也在这个shell脚本中),附带的shell中列出的maslick的存储库就会工作。如果你拔出正确的树枝。你也需要正确的角色,也在这篇文章中。
使用cloudshell安装命令程序的Shell脚本:
############################################################################
# This script Configures Cloudshell and Builds and Deploys CommandRunner
# This script should work on a Linux Box
# Cloudshell resets when you change Roles
# Cloudshell invokes AWS Client using the current Portal Role.
# You must be in the correct Role before attempting to deploy.
# Use the IAMManagement role depoyed by IAMManagement.yaml
# if you do not specify a Subnet you must have a Default VPC
# The subnet must be in an AZ that can support t3.micro
#############################################################################
#install java
sudo yum install java-1.8.0-openjdk-devel.x86_64 -y
java -version
#Following are the set of commands need to be executed sequentially to install maven.
sudo wget http://repos.fedorapeople.org/repos/dchen/apache-maven/epel-apache-maven.repo -O /etc/yum.repos.d/epel-apache-maven.repo
sudo sed -i s/\$releasever/6/g /etc/yum.repos.d/epel-apache-maven.repo
sudo yum install -y apache-maven
mvn –v
#Install Git
# --> GIT is already present in cloudshell
#sudo yum install git
#git version
# Install Python(LINUX box)
# https://tecadmin.net/install-python-3-8-amazon-linux/#:~:text=Installing%20Python%20on%20Amazon%20Linux%201%20Step%201,Environment%20on%20Ubuntu%2018.04%20%26%2016.04.%20See%20More.
cd /
sudo yum install gcc openssl-devel bzip2-devel libffi-devel zlib-devel -y
cd /opt
sudo wget https://www.python.org/ftp/python/3.8.12/Python-3.8.12.tgz
sudo tar xzf Python-3.8.12.tgz
cd Python-3.8.12
sudo ./configure --enable-optimizations
sudo make altinstall
sudo rm -f /opt/Python-3.8.12.tgz
python3.8 --version
python3 --version #(should be 3.8)
# Make Python3.8 default
# https://tech.serhatteker.com/post/2019-12/upgrade-python38-on-ubuntu/
whereis python3.8.12
sudo update-alternatives --install /usr/bin/python3 python3 /usr/local/bin/python3.8 1
sudo update-alternatives --set python3 /usr/local/bin/python3.8
python3 --version #(should be 3.8)
#Install cfn
pip3 install cloudformation-cli cloudformation-cli-java-plugin cloudformation-cli-go-plugin cloudformation-cli-python-plugin cloudformation-cli-typescript-plugin
#Install AWS CLI 2
# --> AWS CLI is already present in cloudshell
#curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
#unzip awscliv2.zip
#sudo yum install awscli -y
#aws --version
# AWAS CLI is already using current role in cloudshell
#aws configure
#get the source
#maslick has the working version.
#the git referred to in AWS docs is unmaintained and does not work.
cd ~
git clone https://github.com/maslick/aws-cloudformation-resource-providers-awsutilities-commandrunner.git
cd ~/aws-cloudformation-resource-providers-awsutilities-commandrunner
git checkout fix-null-sg
#build it
alias python="/usr/bin/Python-3.8.12/python"
clear
cd ~/aws-cloudformation-resource-providers-awsutilities-commandrunner
./scripts/build.sh其中还包括了为运行CloudShell提供一个可假设的角色的YAML (我从另一个项目中提取了它,如果您需要安装和管理的话,这很方便)
AWSTemplateFormatVersion: "2010-09-09"
Metadata:
Generator: "former2"
Description: "Provides permissions for managing Roles and Policies. Reqired by IAMTouchworks.yaml. Disable these roles by re-deploying and setting allowIAMAssumption=No"
Parameters:
environment:
Description: "Environment Name"
Type: String
Default: "Sandbox-1"
environmentShort:
Description: "Environment Name (Short)"
Type: String
Default: "S1"
allowIAMAssumption:
Description: "Allow IAM Assumption Policy"
Type: String
Default: "No"
AllowedValues:
- "No"
- "YES"
ConstraintDescription: "Yes or No"
Conditions:
IAMAssumptionCondition: !Equals
- !Ref allowIAMAssumption
- "YES"
Resources:
IAMManagementPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: IAMManagement
Path: "/"
PolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:*",
"cloudshell:*",
"s3:*",
"sns:*",
"kms:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"sts:GetCallerIdentity",
"access-analyzer:ListPolicyGenerations"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:List*",
"iam:Get*",
"iam:Update*",
"iam:Delete*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteRolePolicy",
"iam:ListPolicies",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:CreateAccessKey",
"iam:UpdateAccessKey",
"iam:TagUser",
"iam:PutUserPolicy",
"iam:ListEntitiesForPolicy",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:ListAttachedUserPolicies",
"iam:ListSigningCertificates",
"iam:ListSSHPublicKeys",
"iam:ListServiceSpecificCredentials",
"iam:DeleteUserPolicy",
"iam:GenerateServiceLastAccessedDetails"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:AddUserToGroup",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:CreateGroup",
"iam:CreateRole",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateUser",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:DetachUserPolicy",
"iam:DeleteGroup",
"iam:DeleteGroupPolicy",
"iam:DeleteUser",
"iam:GetGroup",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:GetUser",
"iam:DeletePolicy",
"iam:GetPolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:ListPolicyVersions",
"iam:ListGroups",
"iam:ListUsers",
"iam:DeletePolicyVersion",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:PutGroupPolicy",
"iam:RemoveUserFromGroup",
"iam:TagRole"
],
"Resource": "*"
}]
}
IAMManagementRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
RoleName: "IAMManagement"
AssumeRolePolicyDocument:
Fn::If:
- IAMAssumptionCondition
- Fn::Sub: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::${AWS::AccountId}:role/CSS-Customer-Admin"]
},
"Action": "sts:AssumeRole"
}
]
}
- Fn::Sub: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": [
"*"
]
},
"Action": "sts:AssumeRole"
}
]
}
MaxSessionDuration: 3600
ManagedPolicyArns:
- !Ref IAMManagementPolicy
Tags:
- Key: "Environment"
Value:
Ref: environment
- Key: "Environment-Short"
Value:
Ref: environmentShort
- Key: "Purpose"
Value: "Role"
- Key: "Application"
Value: "Infrastructure"
- Key: "Description"
Value: "Allows IAM Role-Policy Management"一个验证commandRunner的简单测试CF可以使用AWS。
#!!! THE RELEASE DOES NOT WORK !!!!
#To actually get this to work, you have to follow these instructions to build the tool yourself.
#https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-awsutilities-commandrunner/issues/24
#https://github.com/maslick/aws-cloudformation-resource-providers-awsutilities-commandrunner/tree/fix-null-sg
#CommandRunner Documentation
#https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-commandrunner-stack/
#https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-awsutilities-commandrunner#prerequisites
# This script Assumes Default VPC Exists
AWSTemplateFormatVersion: 2010-09-09
Description: AWS CLI version
Resources:
LogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub "/command-runner/${AWS::StackName}/"
RetentionInDays: 14
Role:
Type: AWS::IAM::Role
Properties:
Description: "Role assumed by Command Runnner"
MaxSessionDuration: 14400
Path: "/"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
- arn:aws:iam::aws:policy/AmazonS3FullAccess
InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref Role
CommandRunner:
Type: AWSUtility::CloudFormation::CommandRunner
Properties:
LogGroup: !Ref LogGroup
Role: !Ref InstanceProfile
#SubnetId: YOUR_SUBNET_ID
Command: |
aws s3 ls | sed -n 1p | cut -d " " -f3 \
> /command-output.txt
# aws --version 2>&1 \
# | tail -1 \
# | head -n 1 \
# > /command-output.txt
# aws s3 ls | sed -n 1p | cut -d " " -f3 > /command-output.txt
Outputs:
CommandRunnerOutput:
Description: CommandRunnerOutput
Value: !GetAtt CommandRunner.Output页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/70177522
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号