本文介绍了仅允许启动/启动/停止/终止特定实例类型的EC2实例的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
从AWS启动按需实例时,出现以下错误:
While launching on-demand instance from AWS I'm getting the following error:
但是我无法从响应中复制实际的问题,因为解码的JSON消息具有一个空的失败对象,尽管我能够从同一IAM策略启动 spot-instance .
But I'm unable to replicate the actual issue from the response as the decoded JSON message has an empty failure object although I'm able to launch spot-instance from the same IAM Policy.
"allowed": false,
"explicitDeny": false,
"matchedStatements": {
"items": []
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "XXXXXXXXXXXXXXXXXXXX",
"name": "user_name",
"arn": "arn:aws:iam::account_id:user/user_name"
},
"action": "ec2:RunInstances",
"resource": "arn:aws:ec2:us-east-1:account_id:instance/*",
"conditions": {
"items": [
{
"key": "ec2:InstanceMarketType",
"values": {
"items": [
{
"value": "on-demand"
}
]
}
},
{
"key": "aws:Resource",
"values": {
"items": [
{
"value": "instance/*"
}
]
}
},
{
"key": "aws:Account",
"values": {
"items": [
{
"value": "account_id"
}
]
}
},
{
"key": "ec2:AvailabilityZone",
"values": {
"items": [
{
"value": "us-east-1a"
}
]
}
},
{
"key": "ec2:ebsOptimized",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "ec2:IsLaunchTemplateResource",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "ec2:InstanceType",
"values": {
"items": [
{
"value": "m1.medium"
}
]
}
},
{
"key": "ec2:RootDeviceType",
"values": {
"items": [
{
"value": "ebs"
}
]
}
},
{
"key": "aws:Region",
"values": {
"items": [
{
"value": "us-east-1"
}
]
}
},
{
"key": "aws:Service",
"values": {
"items": [
{
"value": "ec2"
}
]
}
},
{
"key": "ec2:InstanceID",
"values": {
"items": [
{
"value": "*"
}
]
}
},
{
"key": "aws:Type",
"values": {
"items": [
{
"value": "instance"
}
]
}
},
{
"key": "ec2:Tenancy",
"values": {
"items": [
{
"value": "default"
}
]
}
},
{
"key": "ec2:Region",
"values": {
"items": [
{
"value": "us-east-1"
}
]
}
},
{
"key": "aws:ARN",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-1:account_id:instance/*"
}
]
}
}
]
}
}
}```
**Below is my IAM Policy**
```{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:us-east-1:account_id:instance/m*,t*",
"Condition": {
"StringLike": {
"ec2:InstanceType": [
"m*",
"t*"
]
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/ami-*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:us-east-1:account_id:instance/m*,t*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:network-interface/*"
],
"Condition": {
"StringLike": {
"ec2:InstanceType": [
"m*",
"t*"
]
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "arn:aws:ec2:us-east-1:account_id:instance/*",
"Condition": {
"StringLike": {
"ec2:InstanceType": [
"m*",
"t*"
]
}
}
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:PurchaseReservedInstancesOffering",
"ec2:DescribeAvailabilityZones",
"ec2:EnableEbsEncryptionByDefault",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeReservedInstances",
"ec2:ModifyReservedInstances"
],
"Resource": "*"
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": [
"ec2:ModifyVolumeAttribute",
"ec2:DescribeInstances",
"ec2:GetEbsEncryptionByDefault",
"ec2:ExportClientVpnClientConfiguration",
"ec2:GetHostReservationPurchasePreview",
"ec2:DeleteVolume",
"ec2:GetLaunchTemplateData",
"ec2:SearchTransitGatewayRoutes",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:GetEbsDefaultKmsKeyId",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"ec2:GetTransitGatewayAttachmentPropagations",
"ec2:GetReservedInstancesExchangeQuote",
"ec2:DescribeVolumeAttribute",
"ec2:CreateVolume",
"ec2:GetPasswordData",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:AttachVolume",
"ec2:PurchaseReservedInstancesOffering",
"ec2:RequestSpotInstances",
"ec2:GetCapacityReservationUsage",
"ec2:ExportClientVpnClientCertificateRevocationList",
"ec2:CreateSecurityGroup",
"ec2:GetTransitGatewayRouteTableAssociations",
"ec2:DescribeInstanceStatus",
"ec2:DescribeTags",
"ec2:ImportSnapshot",
"sts:*",
"ec2:Describe*",
"ec2:GetConsole*",
],
"Resource": "*"
},
{
"Sid": "VisualEditor5",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*"
},
{
"Sid": "VisualEditor6",
"Effect": "Allow",
"Action": [
"ec2:DeleteTags",
"ec2:CreateTags",
"ec2:GetConsoleScreenshot"
],
"Resource": "*"
}
]
}```
along with IAM all readonly permissions
推荐答案
以下是一项授予启动M或T系列实例的权限的策略:
Here is a policy that grants permission to launch an instance in the M or T family:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "InstanceType",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:RunInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringLike": {
"ec2:InstanceType": [
"t*",
"m*"
]
}
}
},
{
"Sid": "Any",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*::image/*"
]
}
]
}
它基于在Amazon EC2控制台-Amazon Elastic Compute Cloud中工作的示例策略.
经过一番摸索,看来 ec2:InstanceType 参数仅与 instance/* 资源类型相关.
After a bit of playing around, it seems that the ec2:InstanceType parameter is only relevant for the instance/* resource type.
这是我用来测试的示例CLI命令:
Here's a sample CLI command that I used to test it:
aws ec2 run-instances --image-id ami-abcd1234 --security-group-id sg-abcd1234 --instance-type t2.nano
请注意,它不授予在 RunInstances 命令中添加标签或传递IAM角色的权限.
Please note that it does not grant permission to add tags or pass an IAM Role in the RunInstances command.
这篇关于仅允许启动/启动/停止/终止特定实例类型的EC2实例的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!