我正在尝试从一个正在运行的实例绑定、上传和注册一个实例存储AMI。当涉及到调用ec2寄存器时,我得到的响应是:
Client.UnauthorizedOperation: You are not authorized to perform this operation.
该实例正在通过IAM角色授予的权限下运行。该策略使用预设的数据管道:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Put*",
"s3:Get*",
"s3:DeleteObject",
"dynamodb:DescribeTable",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:UpdateTable",
"rds:DescribeDBInstances",
"rds:DescribeDBSecurityGroups",
"redshift:DescribeClusters",
"redshift:DescribeClusterSecurityGroups",
"cloudwatch:PutMetricData",
"datapipeline:PollForTask",
"datapipeline:ReportTaskProgress",
"datapipeline:SetTaskStatus",
"datapipeline:PollForTask",
"datapipeline:ReportTaskRunnerHeartbeat"
],
"Resource": [
"*"
]}
]}
我需要在这里添加什么才能授权ec2注册运行。。还是我误解了这一切的运作方式?
最终的答案很简单,只需在上面的JSON策略中向操作数组添加正确的字符串即可。我也不需要与dynamicdb、rds、redshift或数据管道相关的权限,所以我删除了它们。
首先,我通过更改权限使其足够宽以使其工作(在我需要的服务,S3和EC2上)来修复它:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"ec2:*",
"cloudwatch:PutMetricData"
],
"Resource": [
"*"
]
}
]
}
然后,通过将"ec2:*"中的*替换为我想要调用的适当函数,将其缩小到我想要调用到的确切命令。