停止 EC2 实例
[英]Stop EC2 Instance
问题描述
I have a node js application running on EC2.
我有一个在 EC2 上运行的节点 js 应用程序。 After a certain operation, I want to stop the EC2.在某个操作之后,我想停止 EC2。
I am using this function to stop EC2我正在使用这个 function 来停止 EC2
const stopInstance = () => {
// set the region
AWS.config.update({
accessKeyId: "MY ACCESS KEY",
secretAccesskey: "SECRET KEY",
region: "us-east-1"
})
// create an ec2 object
const ec2 = new AWS.EC2();
// setup instance params
const params = {
InstanceIds: [
'i-XXXXXXXX'
]
};
ec2.stopInstances(params, function(err, data) {
if (err) {
console.log(err, err.stack); // an error occurred
} else {
console.log(data); // successful response
}
});
}
When I am running it from EC2, it's giving error当我从 EC2 运行它时,它给出了错误
UnauthorizedOperation: You are not authorized to perform this operation.
But when I am running the same code, using the same key and secret from my local machine, It's working perfectly .但是,当我使用本地机器上的相同密钥和密码运行相同的代码时,它运行良好。
Permissions I have我拥有的权限
2 个解决方案
解决方案1
0 2020-07-21 06:55:21
This will be down to the permissions of the IAM user being passed into the script.这将取决于传递给脚本的 IAM 用户的权限。
Firstly this error message indicates that an IAM user/role was successfully used in the request, but failed to have permissions so that can be ruled out.首先,此错误消息表明请求中成功使用了 IAM 用户/角色,但未能获得权限,因此可以排除。
Assuming a key and secret are being successfully (looks like hard coded) you would be looking at further restrictions within the policy (such as principal or.假设密钥和秘密成功(看起来像硬编码),您将查看策略中的进一步限制(例如主体或。
If the key and secret are not hard coded but instead passed in as environment variables, perform some debug to output the string values and validate these are what you expect.如果密钥和秘密不是硬编码而是作为环境变量传入,请对 output 字符串值执行一些调试并验证这些值是否符合您的预期。 If they do not get passed into the SDK then it may be falling back to an instance role that is attached.如果它们没有被传递到 SDK 中,那么它可能会退回到附加的实例角色。
As a point of improvement, generally when interacting with the AWS SDK/CLI from within AWS (ie on an EC2 instance) you should use a IAM role over an IAM user as this will lead to less API credentials being managed/rotated.作为改进的一点,通常在从 AWS 内部(即在 EC2 实例上)与 AWS 开发工具包/CLI 交互时,您应该使用 IAM 角色而不是 IAM 用户,因为这将导致更少的 API 凭证被管理/轮换。 An IAM role will rotate temporary credentials for you every few hours. IAM 角色将每隔几个小时轮换一次临时凭证。
解决方案2
0 2020-07-21 18:57:42
If the same credentials are working on local machine then it's probably not a permission issue, but just to further isolate the issue, you can try to run the AWS-GetCallerIdentity to check the credentials that are being used.如果相同的凭证在本地机器上工作,那么它可能不是权限问题,而只是为了进一步隔离问题,您可以尝试运行 AWS-GetCallerIdentity 来检查正在使用的凭证。
https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html
In case if this does not help, create a new user and try giving full admin access and then using the credentials to see if this get's resolved.如果这没有帮助,请创建一个新用户并尝试授予完全管理员访问权限,然后使用凭据查看此问题是否已解决。 This will confirm whether we are facing a permission issue or not.这将确认我们是否面临许可问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.