我试图限制我的IAM角色,这样我只能启动/停止具有特定标记名的EC2实例大概这是一个常见的用例,可以确保您不会启动/停止/删除错误的EC2实例!
我创建了这个角色:
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": [
"InstanceName",
"InstanceName_Two"
]
}
}
}
(基于上的示例https://github.com/hashicorp/packer/issues/1928(
我正试图通过boto3创建一个实例,其中包含:
{'ResourceType': 'instance', 'Tags': [{'Key': 'Name', 'Value': 'InstanceName'} }
但我弄错了botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation
它在不添加";ec2:ResourceTag/Name";条件
如何创建一个只能启动/停止具有特定名称的EC2实例的角色?
您应该按照文档中AmazonEC2 的条件键使用aws:ResourceTag/${TagKey}
ResourceTag全局条件。
下面的政策很有效。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Name": [
"InstanceName",
"InstanceName_Two"
]
}
}
}
]
}
我不确定为什么你需要ec2:RunInstances许可,即使你提到
仅启动/停止具有特定标记名的EC2实例