我遇到一个问题,我无法理解它为什么会这样工作。
我有一个 CloudFormation 模板,它提供以下访问权限:
- Effect: Allow
Action:
- ec2:RunInstances
- ec2:ModifyInstanceAttribute
Resource:
- 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':instance/*']]
- 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':key-pair/*']]
- 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':security-group/', Ref: DBSecurityGroup ]]
- 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':volume/*']]
- 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':network-interface/**']]
- 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':subnet/', Ref: Subnet ]]
- 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':placement-group/*']]
- 'Fn::Join': [ '', [ 'arn:aws:ec2:',Ref: 'AWS::Region', '::image/ami-**']]
到机器。
机器可以使用此角色调用run-instances,一切正常。
如果我启用元数据标签,如下所示:
InstanceEnableTagsMetadata:
Type: 'AWS::EC2::LaunchTemplate'
Properties:
LaunchTemplateData:
MetadataOptions:
InstanceMetadataTags: enabled
run-instance 调用因权限不足而停止工作。
错误消息如下所示:
API: ec2:RunInstances You are not authorized to perform this operation. Encoded authorization failure message: OTMSE3dUu3XO...
可能是什么问题?
最佳答案
当我解码编码消息时,我得到以下内容:
$ aws sts decode-authorization-message --encoded-message Uz9... \
| jq -r .DecodedMessage | jq .
# [here comes a big JSON with details]
我们在解码中看到,失败的操作是launch-template:
{
"key": "aws:Resource",
"values": {
"items": [
{
"value": "launch-template/lt-"
}
]
}
},
这意味着,launch-template 应添加到允许的操作列表中。
(感谢@ZabielskiGabriel 的提示)
关于amazon-web-services - 启用 InstanceMetadataTags 时权限不足 `run-instance`,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/73745010/