AWS EC2用户数据脚本以分配弹性IP [英] AWS EC2 User Data script to allocate Elastic IP
问题描述
我正在尝试为VPC创建自己的堡垒主机,并创建了一个最小/最大实例为1的自动扩展组.在启动配置中,我为ec2用户数据指定了以下内容:
#!INSTANCE_ID =`/usr/bin/curl -s http://169.254.169.254/latest/meta-data/instance-id`AWS EC2关联地址-实例ID $ INSTANCE_ID-分配ID eipalloc-my-eip-id --allow-reassociation 此用户数据的目标是立即将弹性IP地址与我新创建的EC2实例相关联-
我已经确认实例确实使用了用户数据:
我试图查看系统日志,以查看初始化期间是否有任何错误消息,但是起初我看不到任何提示 associate-address 命令失败的信息(内/var/log/cloud-init-output ).
尝试调试:
但是,然后我将弹性IP手动关联到我的实例SSHed,并尝试运行上面的用户数据命令.有趣的是,当我到达 aws ec2关联地址部分时,我遇到了
无法找到凭据.您可以通过运行来配置凭据"aws configure".
这似乎是问题的根源-未配置我的AWS配置文件.但是,我一直给人的印象是,在实例完成初始化后,会为您设置默认的AWS实例配置文件,并可以访问AWS CLI.
有人可以指出我为什么与弹性IP地址关联的用户数据可能无法正确执行的方向吗?
看起来此EC2实例附带的实例配置文件没有执行上述任务的权限.
引用 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-ec2-console.html#ex-eip ,
您可以确定您的实例配置文件允许执行以下操作吗?
ec2:AllocateAddress:分配弹性IP地址.ec2:ReleaseAddress:释放弹性IP地址.ec2:AssociateAddress:要将弹性IP地址与实例或网络接口相关联.ec2:DescribeNetworkInterfaces和ec2:DescribeInstances:与关联地址"屏幕一起使用.屏幕显示您可以将弹性IP地址与之关联的可用实例或网络接口.ec2:DisassociateAddress:取消弹性IP地址与实例或网络接口的关联. 示例政策如下:
{"Version":"2012-10-17",陈述": [{效果":允许",行动": ["ec2:DescribeAddresses","ec2:AllocateAddress","ec2:DescribeInstances","ec2:AssociateAddress"],资源":"*"}] }
希望这会有所帮助.
I am attempting to create my own bastion host for a VPC, and created an auto-scaling group with min/max instances of 1. In my launch configurations, I specify the following for the ec2 user data:
#!
INSTANCE_ID=`/usr/bin/curl -s http://169.254.169.254/latest/meta-data/instance-id`
aws ec2 associate-address --instance-id $INSTANCE_ID --allocation-id eipalloc-my-eip-id --allow-reassociation
The goal of this user data is to immediately associate an Elastic IP address with my newly created EC2 instance - I've read from other StackOverflow posts that this must be explicitly done when using ASGs.
However, after the ASG instance spins up and finishes initializing, I still do not see any Elastic IP in my console output for the instance:
I've confirmed that the user data is indeed being used by the instance:
I tried to look inside the system log to see if there were any error messages during the initialization, but I couldn't see anything at first that would suggest that the associate-address command failed (inside /var/log/cloud-init-output).
Edit: Attempt to debug:
However, I then manually associated the Elastic IP with my instance, SSHed, and attempted to run the user data commands above. Interestingly, when I got to the aws ec2 associate-address portion, I ran into
Unable to locate credentials. You can configure credentials by running "aws configure".
This appears to be at the root of the issue - my AWS profile is not configured. However, I've always been under the impression that a default AWS instance profile is set up for you with access to the AWS CLI when the instance finishes initializing.
Could anyone point me in the direction of why my user data to associate elastic IP addresses might not be executing properly?
It looks the instance profile attached to this EC2 instance does not have permission to perform the above task.
Referring to https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-ec2-console.html#ex-eip,
Can you make sure your Instance profile has the following action allowed?
ec2:AllocateAddress: To allocate an Elastic IP address.
ec2:ReleaseAddress: To release an Elastic IP address.
ec2:AssociateAddress: To associate an Elastic IP address with an instance or a network interface.
ec2:DescribeNetworkInterfaces and ec2:DescribeInstances: To work with the Associate address screen. The screen displays the available instances or network interfaces to which you can associate an Elastic IP address.
ec2:DisassociateAddress: To disassociate an Elastic IP address from an instance or a network interface.
Sample policy would look like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAddresses",
"ec2:AllocateAddress",
"ec2:DescribeInstances",
"ec2:AssociateAddress"
],
"Resource": "*"
}
]
}
Hope this helps.
这篇关于AWS EC2用户数据脚本以分配弹性IP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
