当IAM设置为允许全部时,为什么AWS拒绝许可?
[英]Why is AWS denying permission when IAM is set to allow all?
问题描述
I'm trying to run a script that creates tables in DynamoDB. 
我正在尝试运行在DynamoDB中创建表的脚本。 The first table is created just fine but the 2nd table runs into a permission problem, which seems to be IAM related. 创建第一个表就很好,但是第二个表遇到了权限问题,这似乎与IAM有关。
This is a python security tool that requires an initial setup and part of that is creating two DynamoDB tables. 这是一个python安全工具,需要进行初始设置,其中一部分是创建两个DynamoDB表。 I'm able to create the first table just fine but run into issues with the 2nd table. 我能够很好地创建第一个表,但是遇到第二个表的问题。
The user role has wide open AWS permissions so I don't see how this is an issue. 用户角色具有广泛的AWS权限,因此我看不出这是个问题。
Python3.7.3 if the version is necessary. 如果需要版本,则为Python3.7.3。
Traceback (most recent call last):
File "argos_config_setup.py", line 28, in check_account_table
response = client.describe_table(TableName=argos_account_table)
File "/Users/generic_user/.virtualenvs/myvenv/lib/python3.7/site-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/Users/generic_user/.virtualenvs/myvenv/lib/python3.7/site-packages/botocore/client.py", line 661, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.ResourceNotFoundException: An error occurred (ResourceNotFoundException) when calling the DescribeTable operation: Requested resource not found: Table: argos_accounts not found
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "argos_config_setup.py", line 240, in <module>
check_account_table()
File "argos_config_setup.py", line 34, in check_account_table
create_account_table(argos_account_table)
File "argos_config_setup.py", line 103, in create_account_table
for accounts_itr in account_iterator:
File "/Users/generic_user/.virtualenvs/myvenv/lib/python3.7/site-packages/botocore/paginate.py", line 255, in __iter__
response = self._make_request(current_kwargs)
File "/Users/generic_user/.virtualenvs/myvenv/lib/python3.7/site-packages/botocore/paginate.py", line 332, in _make_request
return self._method(**current_kwargs)
File "/Users/generic_user/.virtualenvs/myvenv/lib/python3.7/site-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/Users/generic_user/.virtualenvs/myvenv/lib/python3.7/site-packages/botocore/client.py", line 661, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the ListAccounts operation: You don't have permissions to access this resource.
AWS JSON POLICY AWS JSON政策
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
A 2nd dynamoDB table is supposed to be created. 应该创建第二个dynamoDB表。
Below is the create_account_table function 下面是create_account_table函数
org_client = boto3.client('organizations')
paginator = org_client.get_paginator('list_accounts')
account_iterator = paginator.paginate()
accounts = []
for accounts_itr in account_iterator:
for account in accounts_itr['Accounts']:
accounts.append({'id': account['Id'], 'name': account['Name'], 'email': account['Email'],
'environment': ''})
dynamodb_client = boto3.client('dynamodb')
dynamodb_client.create_table(
AttributeDefinitions=[
{
"AttributeName": "id",
"AttributeType": "S"
}
],
TableName=argos_account_table,
KeySchema=[
{
"AttributeName": "id",
"KeyType": "HASH"
}
],
BillingMode='PAY_PER_REQUEST'
)
dynamodb_resource = boto3.resource('dynamodb')
table = dynamodb_resource.Table(argos_account_table)
with table.batch_writer() as batch:
for account in accounts:
batch.put_item(
Item={
'id': account['id'],
'name': account['name'],
'email': account['email'],
'environment': account['environment'],
}
)
1 个解决方案
解决方案1
2 2019-05-30 22:22:21
Without seeing how you are creating the tables I can only tell you two things: 在不了解如何创建表的情况下,我只能告诉您两件事:
The first error you encountered is because you are trying describe a table that can't be found (404 error) 您遇到的第一个错误是因为您试图描述一个找不到的表(404错误)
While trying to handle the unfound table error it appears your code tried a ListAccounts call which depends on the AWS Organization settings you have. 在尝试处理未找到的表错误时,您的代码似乎尝试了ListAccounts调用,这取决于您具有的AWS Organization设置。 It appears your user doesn't have ListAccounts permission either. 您的用户似乎也没有ListAccounts权限。
Could you post a the snippet of how you are trying to create the tables, because here we can only see you make a describeTable call instead of a createTable. 您能否张贴一个尝试创建表的代码段,因为在这里我们只能看到您进行了describeTable调用,而不是createTable调用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.