Amazon-Ec2
IAM 政策不允許我啟動實例
我已將以下策略附加到使用者,以便他們可以啟動和停止一個特定實例。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances" ], "Resource": "arn:aws:ec2:::instance/i-01234567890" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "ec2:DescribeInstanceStatus", "Resource": "*" } ] }
使用以下程式碼,我得到一個 403 試圖啟動該實例:
conn = boto.ec2.connect_to_region("eu-west-1", aws_access_key_id=AWS_ACCESS, aws_secret_access_key=AWS_SECRET) instance = conn.start_instances(instance_ids=['i-01234567890'], dry_run=True)
我究竟做錯了什麼?
我已經在控制台中模擬了策略,看起來還不錯,我可以在模擬下啟動那個特定的實例。我嘗試將 DescribeInstances (*) 添加到權限中,但即使採用這種方法也不起作用:
>>> conn.get_only_instances()[0] Instance:i-01234567890 >>> conn.get_only_instances()[0].start() <Permission Denied>
"arn:aws:ec2:::instance/i-01234567890"
到
"arn:aws:ec2:region:account-id:instance/i-01234567890"
您需要在您的區域和帳戶 ID 中進行替換,因為它們是此資源類型所必需的,如https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html中所述#arn-語法-ec2