ec2:RunInstances的最小IAM策略 [英] Minimal IAM policy for ec2:RunInstances
问题描述
我正在尝试缩小运行预定义机器映像的最小策略.该图像基于两个快照,我只希望启动"m1.medium"实例类型.
I'm trying to narrow down the minimal policy to run a predefined machine image. The image is based on two snapshots and I only want "m1.medium" instance types to be launched.
Based on that and with the help of this page and this article, I worked out the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1385026304010",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": "m1.medium"
}
},
"Resource": [
"arn:aws:ec2:us-east-1::instance/*",
"arn:aws:ec2:us-east-1::image/ami-f1c3e498",
"arn:aws:ec2:us-east-1::snapshot/snap-e2f51ffa",
"arn:aws:ec2:us-east-1::snapshot/snap-18ca2000",
"arn:aws:ec2:us-east-1::key-pair/shenton",
"arn:aws:ec2:us-east-1::security-group/sg-6af56d02",
"arn:aws:ec2:us-east-1::volume/*"
]
}
]
}
该策略缩小了确切的映像,快照,安全组和密钥对的范围,同时使特定实例和卷保持打开状态.
The policy narrows down the exact image, snapshots, security group and key-pair while leaving the specific instance and volume open.
I'm using the CLI tools as follows, as described here:
aws ec2 run-instances --dry-run \
--image-id ami-f1c3e498 \
--key-name shenton \
--security-group-ids sg-6af56d02 \
--instance-type m1.medium
〜/.aws/config 如下:
[default]
output = json
region = us-east-1
aws_access_key_id = ...
aws_secret_access_key = ...
该命令产生通用的您无权执行此操作消息,并且编码的授权失败消息指示我的所有语句均不匹配,因此它拒绝该操作.
The command results in a generic You are not authorized to perform this operation message and the encoded authorization failure message indicates that none of my statements were matched and therefore it rejects the action.
更改为资源":"*" 显然可以解决该问题,但是我想对为什么以上方法不起作用获得更多的了解.我完全意识到这涉及一定程度的猜测工作,因此我欢迎任何想法.
Changing to "Resource": "*" resolves the issue obviously, but I want to gain more understanding as to why the above doesn't work. I fully realize that this involves some degree of guess work, so I welcome any ideas.
推荐答案
Amazon Web Services的Jeff Barr已与我联系,他很乐意帮助我找出问题所在.
I've been contacted by Jeff Barr from Amazon Web Services and he kindly helped me find out what the issue was.
首先,您需要使用以下语句解码授权失败消息:
First you need to decode the authorization failure message using the following statement:
$ aws sts解码授权消息-编码消息6gO3mM3p .... IkgLj8ekf
确保IAM用户/角色具有 sts:DecodeAuthorizationMessage 操作的权限.
Make sure the IAM user / role has permission for the sts:DecodeAuthorizationMessage action.
响应包含一个 DecodedMessage 密钥,该密钥包含另一个JSON编码的正文:
The response contains a DecodedMessage key comprising another JSON encoded body:
{
"allowed": false,
"explicitDeny": false,
"matchedStatements": {
"items": []
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "accesskey",
"name": "testuser",
"arn": "arn:aws:iam::account:user/testuser"
},
"action": "ec2:RunInstances",
"resource": "arn:aws:ec2:us-east-1:account:instance/*",
"conditions": { ... }
}
}
在 context =>下资源,它将显示它试图与策略匹配的资源;如您所见,它需要一个帐号.因此,应阅读学习文档为:
Under context => resource it will show what resource it was attempting to match against the policy; as you can see, it expects an account number. The arn documentation should therefore be read as:
除非另有说明,否则区域和帐户都是必需的.
Unless otherwise specified, the region and account are required.
在受影响的ARN中添加帐号或 * 可以解决此问题:
Adding the account number or * in the affected ARN's fixed the problem:
"Resource": [
"arn:aws:ec2:us-east-1:*:instance/*",
"arn:aws:ec2:us-east-1:*:image/ami-f1c3e498",
"arn:aws:ec2:us-east-1:*:snapshot/snap-e2f51ffa",
"arn:aws:ec2:us-east-1:*:snapshot/snap-18ca2000",
"arn:aws:ec2:us-east-1:*:key-pair/shenton",
"arn:aws:ec2:us-east-1:*:security-group/sg-6af56d02",
"arn:aws:ec2:us-east-1:*:volume/*"
]
这篇关于ec2:RunInstances的最小IAM策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
