我试图强制用户在创建时标记 ec2 实例。我已经设置了一个测试账户,并附加了一个策略,该策略应要求他们在创建 ec2 实例时标记 ec2 实例。当我使用cognito窗口登录测试账户并尝试创建ec2实例时,我不需要标记该实例。
我勤奋地通过堆栈溢出论坛和一般的在线搜索。我遇到的答案都是有道理的,但根本不起作用。
以下 IAM 策略是我一直在使用的。我一直在修改和实验,但无济于事。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*:123456789:subnet/*",
"arn:aws:ec2:*:123456789:network-interface/*",
"arn:aws:ec2:*:123456789:security-group/*",
"arn:aws:ec2:*:123456789:key-pair/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:123456789:volume/*",
"arn:aws:ec2:*:123456789:instance/*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"environment",
"webserver"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:*:123456789:*/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
}
]
}
我没有收到任何错误消息。使用测试用户帐户创建 ec2 实例时,我只需继续操作即可。
任何想法将不胜感激。
[更新]
我确认您的政策不起作用。(所有命令均在eu-west-1上运行(
$ aws ec2 run-instances --image-id ami-0bbc25e23a7640b9b --instance-type t3.micro
{
"Groups": [],
"Instances": [
{
"AmiLaunchIndex": 0,
"ImageId": "ami-0bbc25e23a7640b9b",
"InstanceId": "i-0f695dcb8044ef708",
...
切换到从我们的博客粘贴的这个政策副本(我能看到的唯一区别是没有明确提及帐户 ID(
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowToDescribeAll",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "AllowRunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:key-pair/*"
]
},
{
"Sid": "AllowRunInstancesWithRestrictions",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"key1"
]
}
}
},
{
"Sid": "AllowCreateTagsOnlyLaunching",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
}
]
}
然后我尝试启动一个没有标签的实例
$ aws --profile test ec2 run-instances --image-id ami-0bbc25e23a7640b9b --instance-type t3.micro
或者只是标记实例,而不是卷
$ aws --profile test ec2 run-instances --image-id ami-0bbc25e23a7640b9b --instance-type t3.micro --tag-specifications 'ResourceType=instance,Tags=[{Key=key1,Value=production}]'
并且两次调用都失败了。
An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation.
然后我尝试使用两个标签(任何值(
$ aws --profile test ec2 run-instances --image-id ami-0bbc25e23a7640b9b --instance-type t3.micro --tag-specifications 'ResourceType=instance,Tags=[{Key=key1,Value=value1}]' 'ResourceType=volume,Tags=[{Key=key1,Value=value1}]'
它奏效了!
{
"Groups": [],
"Instances": [
{
"AmiLaunchIndex": 0,
"ImageId": "ami-0bbc25e23a7640b9b",
"InstanceId": "i-04aa7bd64b5f2ed22",
...