我正在尝试设置一个EC2(RHEL7)实例,以使用perl脚本将度量值推送到cloudwatch,如http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/mon-scripts.html
我收到一条HTTP状态400消息“请求中包含的安全令牌无效”
实例配置文件与附加了以下策略的实例关联:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeTags"
],
"Resource": "*"
}
]
}
我从实例元数据中提取AWSAccessKeyId和AWSSecretKey,如下所示:
ROLE=$(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/)
CRED=$(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE)
AWSAccessKeyId=$(sed '/AccessKeyId/!d; s/.*:\ \+"\(.\+\)",/\1/g' <<< "$CRED")
AWSSecretKey=$(sed '/SecretAccessKey/!d; s/.*:\ \+"\(.\+\)",/\1/g' <<< "$CRED")
…当我检查时,上面变量中设置的值是正确的。。。
我正在运行这个脚本,将其推送到cloudwatch,如下所示(使用上面变量中存储的cred):
./mon-put-instance-data.pl --mem-util --verbose --aws-access-key-id $AWSAccessKeyId --aws-secret-key $AWSSecretKey
你知道为什么拒绝我的证件吗?
提前谢谢
最佳答案
如果使用的是IAM配置文件,则无需输入脚本调用的凭据。从您的电话中删除访问密钥和密钥。
./mon-put-instance-data.pl --mem-util --verbose