使用aws cli启动实例会产生未经授权的错误。
使用aws cli启动实例会产生未经授权的错误。
提问于 2019-01-09 14:45:27
我试图使用aws启动一个ec2实例,但是我得到了一个未经授权的错误。我可以在没有问题的情况下运行启动、停止、终止命令,但是runInstance失败了。我将所有必要的角色附加到ec2实例中。
下面是所附角色的政策。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"sts:DecodeAuthorizationMessage"
],
"Resource": "*"
}
]
}下面是启动ec2实例的cli命令
aws --region us-east-2 ec2 run-instances --image-id ami-02e680c45XXX351e \
--subnet-id subnet-2e0254 \
--security-group-ids sg-094a23e956177 \
--count 1 \
--instance-type t2.micro \
--key-name MyOhioKeyPair \
--query "Instances[0].InstanceId" \
--tag-specifications 'ResourceType=instance,Tags=[{Key='Application',Value="wu-digital-eai"}]'在运行此命令时,我会收到一条编码错误消息。下面是解码的消息。
{
"DecodedMessage": "{
\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{
\"items\":[]},\"failures\":{\"items\":[]},\"context\":{
\"principal\":{\"id\":\"AROAIXRNU55ISQID4PHZA:i-027f9b5ea64f\",\"arn\":\"arn:aws:sts::56596531:assumed-role/LaunchInstanceTest/i-027f9b6aa64f\"},
\"action\":\"ec2:RunInstances\",\"resource\":\"arn:aws:ec2:us-east-2:55532131:network-interface/*\",\"conditions\":{\"items\":[{
\"key\":\"ec2:Vpc\",\"values\":{\"items\":[{\"value\":\"arn:aws:ec2:us-east-2:565532131:vpc/vpc-dc6b4\"}]}},
{\"key\":\"ec2:NetworkInterfaceID\",\"values\":{\"items\":[{\"value\":\"*\"}]}},
{\"key\":\"aws:Resource\",\"values\":{\"items\":[{\"value\":\"network-interface/*\"}]}},
{\"key\":\"aws:Account\",\"values\":{\"items\":[{\"value\":\"56532131\"}]}},
{\"key\":\"ec2:AvailabilityZone\",\"values\":{\"items\":[{\"value\":\"us-east-2b\"}]}},
{\"key\":\"ec2:IsLaunchTemplateResource\",\"values\":{\"items\":[{\"value\":\"false\"}]}},
{\"key\":\"aws:Region\",\"values\":{\"items\":[{\"value\":\"us-east-2\"}]}},
{\"key\":\"aws:Service\",\"values\":{\"items\":[{\"value\":\"ec2\"}]}},
{\"key\":\"ec2:Subnet\",\"values\":{\"items\":[{\"value\":\"arn:aws:ec2:us-east-2:56532131:subnet/subnet-2e54\"}]}},
{\"key\":\"aws:Type\",\"values\":{\"items\":[{\"value\":\"network-interface\"}]}},
{\"key\":\"ec2:Region\",\"values\":{\"items\":[{\"value\":\"us-east-2\"}]}},
{\"key\":\"aws:ARN\",\"values\":{\"items\":[{\"value\":\"arn:aws:ec2:us-east-2:56532131:network-interface/*\"}]}}]}}}"
}在阅读一些博客时,我发现上面错误中的\"action\":\"ec2:RunInstances\"行告诉了确切的问题。但是EC2:RunInstance策略正确地附加到角色。
有人能帮我理解我在这里错过了什么吗?
回答 1
Stack Overflow用户
发布于 2019-01-10 05:28:03
事实证明,除了运行实例策略之外,我们还必须提供更多的特权,例如-访问使用EC2密钥对、安全组、弹性块存储卷和(AMI)启动。下面是为我解决这个问题的json政策。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:CreateTags",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"sts:DecodeAuthorizationMessage"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:image/ami-*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:subnet/*"
]
}
]
}这里有一个来自aws的很好的链接,用于相同的问题:EC2资源级权限的解密
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/54112670
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号