堆栈内存溢出
  简体   繁体   English

将现有 IAM 角色与 CloudFormation 中的 EC2 实例相关联

[英]Associate existing IAM role with EC2 instance in CloudFormation

 原文  2013-12-02 13:04:41       amazon-web-services/ amazon-cloudformation

问题描述

How can I use an existing IAM role for an EC2 instance, as opposed to creating a new one in my CloudFormation template?我如何为 EC2 实例使用现有的 IAM 角色,而不是在我的 CloudFormation 模板中创建一个新角色?

For example, I have created a role in AWS Console and just want to use that.例如,我在 AWS 控制台中创建了一个角色并且只想使用它。

5 个解决方案

解决方案1
 29  2014-06-10 18:55:52

You can use an existing InstanceProfile instead of creating a new one from within the stack.您可以使用现有的 InstanceProfile 而不是从堆栈中创建一个新的。 In fact, one might already be created for you - from the docs :事实上,可能已经为您创建了一个 - 从文档中

If you use the AWS Management Console to create a role for Amazon EC2, the console automatically creates an instance profile and gives it the same name as the role.如果您使用 AWS 管理控制台为 Amazon EC2 创建角色,控制台会自动创建一个实例配置文件并为其提供与角色相同的名称。

This means that you might not have to create an AWS::IAM::InstanceProfile resource in the stack.这意味着您可能不必在堆栈中创建AWS::IAM::InstanceProfile资源。 However note that also:但是请注意:

The console does not create an instance profile for a role that is not associated with Amazon EC2.控制台不会为未与 Amazon EC2 关联的角色创建实例配置文件。

In this case you can do it manually from AWS CLI using these 2 commands:在这种情况下,您可以使用以下 2 个命令从 AWS CLI 手动执行此操作:

aws iam create-instance-profile --instance-profile-name MyExistingRole
aws iam add-role-to-instance-profile --instance-profile-name MyExistingRole --role-name MyExistingRole

Then, provided you've defined a role in the UI named MyExistingRole , this will be sufficient:然后,如果您在名为MyExistingRole的 UI 中定义了一个角色,这就足够了:

"Resources" : {

  "Instance" : {
    "Type" : "AWS::EC2::Instance",
    ...
    "Properties" : {
      "IamInstanceProfile" : "MyExistingRole",
      ...
    }
  }
}

解决方案2
 28 已采纳  2013-12-03 03:59:04

You need an instance profile, a role, and the instance info (or launch configuration) itself.您需要一个实例配置文件、一个角色和实例信息(或启动配置)本身。

Your instance profile would look like this:您的实例配置文件如下所示:

"Resources" : {
  "InstanceProfile" : {
    "Type" : "AWS::IAM::InstanceProfile",
    "Properties" : {
      "Path" : "/",
      "Roles" : ["MyExistingRole"]
    }
  },

  "Instance" : {
    "Type" : "AWS::EC2::Instance",
    "Properties" : {
      "IamInstanceProfile" : {"Ref" : "InstanceProfile"}
      ...
    }
  }

In particular - note that the reference in the Instance profile is to an existing RoleName特别是 - 请注意,实例配置文件中的引用是对现有角色名称的引用

Also - I've written about bootstrapping instances which uses instance profiles and roles to ensure we're not persisting security.另外 -我已经写过关于使用实例配置文件和角色来确保我们不会持久安全的引导实例

The key thing is rather than using the {"Ref" : RoleName} etc, to use the actual name of the role.关键是使用角色的实际名称而不是使用 {"Ref" : RoleName} 等。

解决方案3
 0  2013-12-02 14:41:57

What are you trying to do with the IAM role?你想用 IAM 角色做什么?

I have a cfn script that needs access to a restricted S3 bucket.我有一个需要访问受限 S3 存储桶的 cfn 脚本。 My instance block looks like this - bucketName and RoleName are both parameters, with defaults:我的实例块看起来像这样 - bucketName 和 RoleName 都是参数,默认值:

"Resources" : {
    "myInstance" : {
        "Type" : "AWS::EC2::Instance",

        "Metadata" : {
            "Comment1" : "My Instance stuff here",     

            "AWS::CloudFormation::Authentication": {
                "default" : {
                    "type": "s3",
                    "buckets": [ { "Ref" : "bucketName" } ],
                    "roleName": { "Ref" : "RoleName" }
                }
            },
...snip...

Edit: I include the role as part of the properties when creating the instance:编辑:我在创建实例时将角色作为属性的一部分包含在内:

        "Properties" : {
            "ImageId"             : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "64"] },
            "InstanceType"        : { "Ref" : "InstanceType" },
            "SecurityGroups"      : [ {"Ref" : "SecurityGroup"} ],
            "IamInstanceProfile"  : { "Ref" : "RoleName" },
            "KeyName"             : { "Ref" : "KeyName" },

            "BlockDeviceMappings" : [
                {
                    "DeviceName" : "/dev/sda1",
                    "Ebs" : { "VolumeSize" : "10" } 
                }
            ],

            "UserData"            : { "Fn::Base64" : { "Fn::Join" : ["", [
                "#!/bin/bash -v\n",
...snip...
            ] ] } }

And the RoleName is defined in my Parameters section:而 RoleName 是在我的参数部分中定义的:

"Parameters" : {

    "RoleName" : {
        "Description" : "Role description",
        "Type" : "String",
        "Default" : "my-default-role",
        "ConstraintDescription" : "Must be a valid IAM Role"
    }
  }

解决方案4
 0  2021-03-23 09:10:07

Just enter Existing Role name created in the Amazon console to the EC2 resource IamInstanceProfile property.只需将在 Amazon 控制台中创建的现有角色名称输入到 EC2 资源 IamInstanceProfile 属性中。

Resources:
  TestEC2Instace:
     Type: AWS::EC2::Instance
     InstanceType: t2.micro
     IamInstanceProfile: ExistingRoleName
     Tags:
       - Key: Name
         Value: Public Instance

解决方案5
 0  2021-06-16 01:56:21

for those using launch templates the syntax is a little different compared to ec2instance or launch configs.对于那些使用启动模板的人,与 ec2instance 或启动配置相比,语法略有不同。

below is yaml example where you are using launch templates.以下是您使用启动模板的 yaml 示例。

LaunchTemplate:
  Properties:
    LaunchTemplateData:
      IamInstanceProfile:
        Name: !Ref ExistingInstanceProfileName

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 将现有EIP与CloudFormation中的EC2实例相关联 - Associate an existing EIP to EC2 Instance in CloudFormation 使用 terraform 将 IAM 角色附加到现有 EC2 实例 - Attach IAM role to existing EC2 instance using terraform 使用Terraform将现有IAM角色添加到EC2实例 - Added existing IAM role to EC2 instance using Terraform 使用 cloudFormation 将角色附加到现有 EC2 实例 - attach a role to an existing EC2 instance, using cloudFormation 具有EC2实例的AWS Cloudformation模板具有IAM角色以终止该Cloudformation堆栈 - AWS Cloudformation template with EC2 instance that has IAM role to terminate that Cloudformation stack aws lambda 函数和相应的 IAM 角色,用于在 CloudFormation 中停止和启动 EC2 实例 - aws lambda function and correspond IAM role for stop and start EC2 instance in CloudFormation 具有跨账户 IAM 角色的 EC2 实例 - EC2 instance with a cross account IAM role 如何将IAM角色应用于EC2实例? - How to apply IAM Role to EC2 instance? 带有IAM角色的EC2实例的AccessDenied - AccessDenied for EC2 Instance with attached IAM Role 将现有的Elastic IP与CloudFormation脚本中的Ec2实例相关联? - Associate an existing Elastic IP with an Ec2 Instance from inside a CloudFormation script?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM