堆栈内存溢出
  简体   繁体   English

aws lambda 函数和相应的 IAM 角色,用于在 CloudFormation 中停止和启动 EC2 实例

[英]aws lambda function and correspond IAM role for stop and start EC2 instance in CloudFormation

 原文  2020-02-17 10:56:51       amazon-web-services/ aws-lambda/ yaml/ amazon-cloudformation

问题描述

I'm trying to launch a scheduled instance which will be stopped and start at a specified time in each day (in AWS CloudFormation template).我正在尝试启动一个计划实例,该实例将在每天的指定时间停止并启动(在 AWS CloudFormation 模板中)。 it's my IAM role and policy that I defined for the lambda function:这是我为 lambda 函数定义的 IAM 角色和策略:

RootRole: 
Type: 'AWS::IAM::Role'
Properties:
  AssumeRolePolicyDocument: 
    Version: 2012-10-17
    Statement:
    - Effect: Allow
      Action:
       - logs:CreateLogGroup  
       - logs:CreateLogStream
       - logs:PutLogEvents

      Resource: arn:aws:logs:*:*:*
    - Effect: Allow
      Action: 
      - ec2:Start*
      - ec2:Stop*
      Resource: "*"

when I create a stack, it return an error in the console(CREATE_FAILED) and the status reason is:当我创建一个堆栈时,它在控制台中返回一个错误(CREATE_FAILED),状态原因是:

Has prohibited field Resource (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 3094b9eb-9f45-4763-8f21-9c3f2496fc52)具有禁止字段资源(服务:AmazonIdentityManagement;状态代码:400;错误代码:MalformedPolicyDocument;请求 ID:3094b9eb-9f45-4763-8f21-9c3f2496fc52)

And after this error all the services related to this role are failed by this error:在此错误之后,与此角色相关的所有服务都因此错误而失败:

The following resource(s) failed to create: [InternetGateway, SNSTopicNameCreate, LambdaInvocationsAlarm, RootRole, VPC, LambdaInvocationsAnomalyDetector].以下资源创建失败:[InternetGateway、SNSTopicNameCreate、LambdaInvocationsAlarm、RootRole、VPC、LambdaInvocationsAnomalyDetector]。 . . Rollback requested by user.用户请求的回滚。

1 个解决方案

解决方案1
 0 已采纳  2020-02-18 00:14:07

Your policy appears to be confusing the "Assume Role" section, which defines the Trust Policy, with the "Policy" section, which grants permissions to the IAM Role.您的策略似乎将定义信任策略的“承担角色”部分与授予 IAM 角色权限的“策略”部分混淆。

Try this:尝试这个:

AWSTemplateFormatVersion: 2010-09-09

Resources:
  LambdaRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: Lambda-Role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: AllowLogsAndEC2
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: arn:aws:logs:*:*:*
              - Effect: Allow
                Action:
                - ec2:StartInstances
                - ec2:StopInstances
                Resource: "*"

Typically, the easiest way to create a policy is to copy an existing policy and make minor changes, or use the policy editor in the IAM console to generate most of what you want.通常,创建策略的最简单方法是复制现有策略并进行细微更改,或使用 IAM 控制台中的策略编辑器生成您想要的大部分内容。 You can then tweak the policy it provides.然后,您可以调整它提供的策略。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 具有EC2实例的AWS Cloudformation模板具有IAM角色以终止该Cloudformation堆栈 - AWS Cloudformation template with EC2 instance that has IAM role to terminate that Cloudformation stack 将现有 IAM 角色与 CloudFormation 中的 EC2 实例相关联 - Associate existing IAM role with EC2 instance in CloudFormation AWS假定具有EC2实例IAM角色的角色无效 - AWS Assume role with EC2 instance IAM role not working 在不同 AWS 账户中启动和停止 EC2 实例的 IAM 策略/角色设置 - IAM policy/role setup for Start and Stop EC2 instances in a different AWS account 在多个 AWS 账户上使用 IAM 角色启动 EC2 实例 - Launch EC2 Instance using IAM Role on Multiple AWS accounts IAM角色关联到可用的AWS EC2实例 - IAM Role Association to the available AWS EC2 instance 启动和停止 AWS EC2 实例 - Start and stop AWS EC2 instance AWS IAM:允许 EC2 实例自行停止 - AWS IAM: Allow EC2 instance to stop itself 具有跨账户 IAM 角色的 EC2 实例 - EC2 instance with a cross account IAM role 如何将IAM角色应用于EC2实例? - How to apply IAM Role to EC2 instance?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM