Amazon-Ec2

IAM 政策不允許我啟動實例

  • January 24, 2018

我已將以下策略附加到使用者,以便他們可以啟動和停止一個特定實例。

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
               "ec2:StartInstances",
               "ec2:StopInstances"
           ],
           "Resource": "arn:aws:ec2:::instance/i-01234567890"
       },
       {
           "Sid": "VisualEditor1",
           "Effect": "Allow",
           "Action": "ec2:DescribeInstanceStatus",
           "Resource": "*"
       }
   ]
}

使用以下程式碼,我得到一個 403 試圖啟動該實例:

conn = boto.ec2.connect_to_region("eu-west-1",
 aws_access_key_id=AWS_ACCESS,
 aws_secret_access_key=AWS_SECRET)

instance = conn.start_instances(instance_ids=['i-01234567890'], dry_run=True)

我究竟做錯了什麼?

我已經在控制台中模擬了策略,看起來還不錯,我可以在模擬下啟動那個特定的實例。我嘗試將 DescribeInstances (*) 添加到權限中,但即使採用這種方法也不起作用:

>>> conn.get_only_instances()[0]
Instance:i-01234567890
>>> conn.get_only_instances()[0].start()
<Permission Denied>
"arn:aws:ec2:::instance/i-01234567890"

"arn:aws:ec2:region:account-id:instance/i-01234567890"

您需要在您的區域和帳戶 ID 中進行替換,因為它們是此資源類型所必需的,如https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html中所述#arn-語法-ec2

引用自:https://serverfault.com/questions/893735