启动源实例时出错:UnauthorizedOperation:您无权执行此操作
[英]Error launching source instance: UnauthorizedOperation: You are not authorized to perform this operation
问题描述
I am trying to lunch EC2 instance by using Terraform and I am getting the following error:
我正在尝试使用 Terraform 为 EC2 实例提供午餐,但出现以下错误:
Error launching source instance: UnauthorizedOperation: You are not authorized to perform this operation.启动源实例时出错:UnauthorizedOperation:您无权执行此操作。
I have applied AdministratorAccess policy to my IAM account so I guess there should not be IAM restriction issue.我已将 AdministratorAccess 策略应用到我的 IAM 帐户,所以我想不应该存在 IAM 限制问题。
Also I have MFA enabled for my account, but I am using STS token and the API calls are being accepted from Amazon so this should not be the issue as well.此外,我还为我的帐户启用了 MFA,但我使用的是 STS 令牌,并且亚马逊正在接受 API 调用,因此这也不应该是问题所在。
The Terraform code that I am using is so simple:我使用的 Terraform 代码非常简单:
provider "aws"{
region="us-east-1"
}
resource "aws_instance" "web" {
ami = "ami-00d4e9ff62bc40e03"
instance_type = "t2.micro"
tags = {
Name = "HelloWorld"
}
}
Please could you assist me as I tired so many things, but I didn't manage to solve the issue.请你能帮助我,因为我厌倦了很多事情,但我没有设法解决问题。 Thanks ahead in time!及时致谢!
11 个解决方案
解决方案1
4 2021-01-20 18:37:22
You're got this error too, I fixed the same by recreating the user in AWS IAM console and then access/secret key.您也遇到了这个错误,我通过在 AWS IAM 控制台中重新创建用户然后访问/密钥来修复了这个错误。 Why that happened is mistakenly I uploaded the tfvars file having access key and secret key to my github repo which was identified by AWS and then it restricted access over that particular IAM user.发生这种情况的原因是我错误地将具有访问密钥和秘密密钥的 tfvars 文件上传到由 AWS 识别的 github 存储库,然后它限制了对该特定 IAM 用户的访问。 hats of to AWS for this micro level monitoring and security standard following.向 AWS 致敬,以遵循这种微观级别的监控和安全标准。
解决方案2
4 2021-05-16 23:04:37
Goto the user you have created for terraform from iamadmin then check the Policies .从 iamadmin 转到您为 terraform 创建的用户,然后检查 Policies 。 I have found that "AWSCompromisedKeyQuarantineV2" policy was Attached directly .我发现直接附加了“AWSCompromisedKeyQuarantineV2”策略。 The description of the policy is :该政策的描述是:
Policy ARN arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantineV2 Description Denies access to certain actions, applied by the AWS team in the event that an IAM user's credentials have been compromised or exposed publicly.策略 ARN arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantineV2 描述 拒绝访问某些操作,由 AWS 团队在 IAM 用户的凭证被泄露或公开暴露的情况下应用。 Do NOT remove this policy.不要删除此政策。 Instead, please follow the instructions specified in the support case created for you regarding this event.相反,请按照为您创建的支持案例中指定的有关此事件的说明进行操作。
Check open issues in aws notification, It will show you Risk IAM quarantine检查 aws 通知中的未解决问题,它将向您显示风险 IAM 隔离
Your AWS Account may be compromised!您的 AWS 账户可能已被盗用! We have opened a Support Case with more details.我们已经打开了一个支持案例,其中包含更多详细信息。 Please visit the AWS Support Center https://aws.amazon.com/support to review the case we've opened for you and take action immediately.请访问 AWS 支持中心https://aws.amazon.com/support查看我们为您打开的案例并立即采取行动。
解决方案3
3 2020-01-03 19:25:18
您可以在运行模板时尝试启用调试,以便更好地了解缺少哪个权限部分
TF_LOG=DEBUG terraform apply
解决方案4
1 2020-01-03 19:31:23
Maybe the reason is:也许原因是:
- This is a new AWS account and the activation process haven't finished yet.这是一个新的 AWS 账户,激活过程尚未完成。
- Your AWS keys don't have enough permissions to launch EC2 instances.您的 AWS 密钥没有足够的权限来启动 EC2 实例。
解决方案5
1 2021-01-13 07:51:13
Please use the STS service to decode the authorization token that you get with your response.请使用 STS 服务来解码您在响应中获得的授权令牌。 It will state the exact action you don't have permission to perform.它将说明您无权执行的确切操作。
This is only the first step, you can read more on this from this documentation:这只是第一步,您可以从本文档中了解更多信息:
https://aws.amazon.com/premiumsupport/knowledge-center/ec2-not-auth-launch/ https://aws.amazon.com/premiumsupport/knowledge-center/ec2-not-auth-launch/
解决方案6
0 2021-11-15 21:22:04
For me the issue was trying to create a resource in a region forbidden by my organization's Service Control Policy.对我来说,问题是试图在我组织的服务控制策略禁止的区域中创建资源。 The user credentials were fine.用户凭据很好。
解决方案7
0 2022-01-04 15:23:18
AWSCompromisedKeyQuarantineV2 检查此策略是否附加到您的用户删除并尝试它会起作用
解决方案8
0 2022-05-05 10:42:52
I got this error because I was accessing a wrong profile in my AWS config file.我收到此错误是因为我在 AWS 配置文件中访问了错误的配置文件。
[default]
aws_access_key_id = AKIA........
aws_secret_access_key = JFV............
[org_1]
aws_access_key_id = AKIA............
aws_secret_access_key = EVg.................
This happened because I was trying to create a resource using credentials in the default profile I didn't have to create an EC2 instance.发生这种情况是因为我试图使用默认配置文件中的凭据创建资源,而不必创建 EC2 实例。
This was however solved by changing the configuration to point to the profile org_1 I intended to use然而,通过将配置更改为指向我打算使用的配置文件org_1解决了这个问题
Therefore, If your AWS config file contains more than one profile, reference the correct profile in your terraform file.因此,如果您的 AWS 配置文件包含多个配置文件,请在您的 terraform 文件中引用正确的配置文件。 For example;例如;
provider "aws" {
profile = "org_1"
region = "us-west-..."
}
解决方案9
0 2022-05-11 13:05:23
Please go to your AWS console to see if you set the permissions boundary on this user.请转到您的 AWS 控制台,查看您是否为此用户设置了权限边界。 If yes, you can try to remove all of them.如果是,您可以尝试将它们全部删除。
解决方案10
0 2022-08-28 17:17:29
correct your IAM role更正您的 IAM 角色
1 AdministratorAccess 2 AdministratorAccess-Amplify 1 管理员访问 2 管理员访问 - 放大
if you pick second IAM role you have that error so change to first IAM role如果您选择第二个 IAM 角色,您会遇到该错误,因此请更改为第一个 IAM 角色
解决方案11
0 2022-09-30 11:21:53
I encountered this issue.我遇到了这个问题。 I manually set my aws access key and secret key in my windows machine by editing the environment variables.我通过编辑环境变量在我的 Windows 机器中手动设置我的 aws 访问密钥和密钥。 Not sure though why after setting up "aws configure" with keys and all, it did not update the env variables in the machine.不确定为什么在使用密钥和所有设置“aws configure”之后,它没有更新机器中的 env 变量。 The IAM user I have has AdministratorAccess.我拥有的 IAM 用户具有 AdministratorAccess。 HTH. HTH。
解决方案12
0 2023-01-29 08:23:22
if you have uploaded your terraform file somewhere you will have to recreate user in IAM, worked for me如果您已将 terraform 文件上传到某处,则必须在 IAM 中重新创建用户,这对我有用
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.