我正在尝试在特定时间范围内停止和启动使用 ASG 映射的 EC2 实例。即使在为角色授予适当的权限后,我也会收到拒绝访问错误。
resource "aws_autoscaling_group" "asg" {
availability_zones = "${var.availability_zones}"
name = "${var.environment}-airflow-asg"
launch_configuration = "${aws_launch_configuration.lc.name}"
target_group_arns = ["${aws_lb_target_group.lb_tg.arn}"]
max_size = "${var.asg_max_size}"
min_size = "${var.asg_min_size}"
desired_capacity = "${var.asg_desired_capacity}"
health_check_grace_period = "300"
health_check_type = "EC2"
vpc_zone_identifier = ["${data.aws_subnet.app_subnet_0.id}", "${data.aws_subnet.app_subnet_1.id}"]
force_delete = true
lifecycle {
create_before_destroy = true
}
tags = [merge(
var.common_tags,
map("Classification", "private"),
map("Name", "${var.environment}-airflow-asg"),
map("key", "Name", "value", "${var.environment}-airflow", "propagate_at_launch", true)
)]
}
# Stop instances each weekday at 6pm
resource "aws_autoscaling_schedule" "asg_stop" {
scheduled_action_name = "${var.environment}-asg_stop"
min_size = 0
max_size = 0
desired_capacity = 0
recurrence = "00 18 * * MON-FRI"
autoscaling_group_name = "${aws_autoscaling_group.asg.name}"
}
# Startup instance each weekday at 8am
resource "aws_autoscaling_schedule" "asg_start" {
scheduled_action_name = "${var.environment}-asg_start"
min_size = "${var.asg_min_size}"
max_size = "${var.asg_max_size}"
desired_capacity = "${var.asg_desired_capacity}"
recurrence = "00 08 * * MON-FRI"
autoscaling_group_name = "${aws_autoscaling_group.asg.name}"
}
执行terraform apply
后出错:
Error Creating Autoscaling Scheduled Action: AccessDenied: User: arn:aws:sts::12345678910:assumed-role/jenkins/AssumeRoleSessionOrchestration is not authorized to perform: autoscaling:PutScheduledUpdateGroupAction on resource: arn:aws:autoscaling:eu-central-1:12345678910:autoScalingGroup:bb231f2f-7336-471a-bba6-312969c65523:autoScalingGroupName/asg
status code: 403, request id: dbc1da6e-ad34-11e9-8c30-bd488dac5c78
on ../../modules/airflow/asg.tf line 51, in resource "aws_autoscaling_schedule" "asg_stop":
51: resource "aws_autoscaling_schedule" "asg_stop"
我的角色具有以下权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RDSPermissions",
"Effect": "Allow",
"Action": [
"rds:*",
"application-autoscaling:DeleteScalingPolicy",
"application-autoscaling:DeleteScheduledAction",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:PutScheduledUpdateGroupAction",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:RegisterScalableTarget",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms",
"sns:ListSubscriptions",
"sns:ListTopics",
"sns:Publish",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Resource": "*"
}
]
}
您混淆了名称相似的 application-autoscaling
和 autoscaling
IAM 策略。
应用程序自动扩展用于扩展 ECS 服务和 DynamoDB 表读/写容量等。
另一种类型, autoscaling
,是更标准的 EC2 自动扩展,可横向扩展实例组,并且是自动扩展组所需的。
因此,要解决此问题,只需将application-autoscaling:*
操作更改为autoscaling:*
:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RDSPermissions",
"Effect": "Allow",
"Action": [
"rds:*",
"autoscaling:DeleteScalingPolicy",
"autoscaling:DeleteScheduledAction",
"autoscaling:DeregisterScalableTarget",
"autoscaling:DescribeScalableTargets",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeScalingPolicies",
"autoscaling:PutScheduledUpdateGroupAction",
"autoscaling:PutScalingPolicy",
"autoscaling:RegisterScalableTarget",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms",
"sns:ListSubscriptions",
"sns:ListTopics",
"sns:Publish",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Resource": "*"
}
]
}