我正在尝试设置一个EC2(RHEL7)实例,以使用perl脚本将度量值推送到cloudwatch,如http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/mon-scripts.html
我收到一条HTTP状态400消息“请求中包含的安全令牌无效”
实例配置文件与附加了以下策略的实例关联:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeTags"
            ],
            "Resource": "*"
        }
    ]
}

我从实例元数据中提取AWSAccessKeyId和AWSSecretKey,如下所示:
ROLE=$(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/)
CRED=$(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE)

AWSAccessKeyId=$(sed '/AccessKeyId/!d; s/.*:\ \+"\(.\+\)",/\1/g' <<< "$CRED")
AWSSecretKey=$(sed '/SecretAccessKey/!d; s/.*:\ \+"\(.\+\)",/\1/g' <<< "$CRED")

…当我检查时,上面变量中设置的值是正确的。。。
我正在运行这个脚本,将其推送到cloudwatch,如下所示(使用上面变量中存储的cred):
./mon-put-instance-data.pl --mem-util --verbose --aws-access-key-id  $AWSAccessKeyId --aws-secret-key $AWSSecretKey

你知道为什么拒绝我的证件吗?
提前谢谢

最佳答案

如果使用的是IAM配置文件,则无需输入脚本调用的凭据。从您的电话中删除访问密钥和密钥。

./mon-put-instance-data.pl --mem-util --verbose

10-06 14:25