amazon-ec2 - AWS EC2实例通过Ansible IAM角色创建instance_profile_name UnauthorizedOperation : Error

Question

我尝试使用 IAM 角色通过 ansible 创建 EC2 实例，但在启动新实例时出现错误

failed: [localhost] => (item= IAMRole-1) => {"failed": true, "item": " IAMRole-1"}
msg: Instance creation failed => UnauthorizedOperation: You are not authorized to perform
this operation. Encoded authorization failure message: Ckcjt2GD81D5dlF6XakTSDypnwrgeQb0k
ouRMKh3Ol1jue553EZ7OXPt6fk1Q1-4HM-tLNPCkiX7ZgJWXYGSjHg2xP1A9LR7KBiXYeCtFKEQIC
W9cot3KAKPVcNXkHLrhREMfiT5KYEtrsA2A-xFCdvqwM2hNTNf7Y6VGe0Z48EDIyO5p5DxdNFsaSChUcb
iRUhSyRXIGWr_ZKkGM9GoyoVWCBk3Ni2Td7zkZ1EfAIeRJobiOnYXKE6Q

而 iam 角色具有完全的 ec2 访问权限，并具有以下策略

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "ec2:*",
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "elasticloadbalancing:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "cloudwatch:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "autoscaling:*",
      "Resource": "*"
    }
  ]
}

请提出任何建议。

Answer 1

这里的问题不在于 IAM Role for Amazon EC2本身，而不是您(即您自己使用的 AWS 凭证)似乎缺乏在启动时将该角色“传递”到请求的 EC2 实例所需的 iam:PassRole 权限，请参阅< em>在 Granting Applications that Run on Amazon EC2 Instances Access to AWS Resources 内使用 Amazon EC2 角色所需的权限详情:

To launch an instance with a role, the developer must have permission to launch Amazon EC2 instances and permission to pass IAM roles.

The following sample policy allows users to use the AWS Management Console to launch an instance with a role. The policy allows a user to pass any role and to perform all Amazon EC2 actions by specifying an asterisk (*). The ListInstanceProfiles action allows users to view all the roles that are available on the AWS account.

Example Policy that grants a user permission to launch an instance with any role by using the Amazon EC2 console

{
  "Version": "2012-10-17",   
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "iam:PassRole",
      "iam:ListInstanceProfiles",
      "ec2:*"
    ],
    "Resource": "*"
  }]
}

要求通过 PassRole 权限进行这种间接访问的原因是能够限制用户启动实例时可以传递给 Amazon EC2 实例的角色 :

This helps prevent the user from running applications that have more permissions than the user has been granted—that is, from being able to obtain elevated privileges. For example, imagine that user Alice has permissions only to launch Amazon EC2 instances and to work with Amazon S3 buckets, but the role she passes to an Amazon EC2 instance has permissions to work with IAM and DynamoDB. In that case, Alice might be able to launch the instance, log into it, get temporary security credentials, and then perform IAM or DynamoDB actions that she's not authorized for.

您可能想阅读我对 How to specify an IAM role for an Amazon EC2 instance being launched via the AWS CLI? 的回答有关更详细的解释，该解释还链接到 Mike Pope 关于 Granting Permission to Launch EC2 Instances with IAM Roles (PassRole Permission) 的好文章，它从 AWS 的角度解释了主题。