AWS IAM 角色权限问题
[英]AWS IAM Role permission issue
问题描述
We have just built a new Things Enterprise server hosted at AWS on an EC2 instance and created an application to use AWS IOT.
我们刚刚在 EC2 实例上构建了一个托管在 AWS 上的新 Things Enterprise 服务器,并创建了一个应用程序来使用 AWS IOT。 We are getting the following error我们收到以下错误
“message”: “User: arn:aws:sts::446971925991:assumed-role/Things-Enterprise-Stack-Srv-StackIAMRole-DBHBSMSY05AQ/i-095895d605fab3fa4 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::446971925991:role/Bosh-Parking-IOT-Stack-TheThingsStackRoleCD9FBAD2-C44RRJJ53M93” “消息”:“用户:arn:aws:sts::446971925991:assumed-role/Things-Enterprise-Stack-Srv-StackIAMRole-DBHBSMSY05AQ/i-095895d605fab3fa4 无权执行:sts:AssumeRole 资源: :iam::446971925991:role/Bosh-Parking-IOT-Stack-TheThingsStackRoleCD9FBAD2-C44RRJJ53M93”
I have been told有人告诉我
What is the execution role of the TTES instance that is trying to assume the role?
But I'm not sure what that means, i'm presuming i need to add / alter some permissions within an IAM role.但我不确定这意味着什么,我假设我需要在 IAM 角色中添加/更改一些权限。 Can someone point me in the right direction Pls.有人可以指出我正确的方向吗?
1 个解决方案
解决方案1
1 已采纳 2020-09-16 08:22:09
From the error message it seems that your IAM role for Amazon EC2 has no permissions to assume a role Bosh-Parking-IOT-Stack-TheThingsStackRoleCD9FBAD2-C44RRJJ53M93 .从错误消息来看,您的 Amazon EC2 IAM 角色似乎无权代入角色Bosh-Parking-IOT-Stack-TheThingsStackRoleCD9FBAD2-C44RRJJ53M93 。
To add such permissions manually you can do the following:要手动添加此类权限,您可以执行以下操作:
- Go to
IAM Console->Roles.转到IAM Console->Roles。 - In the
Roleswindow, you can useSearchbar to locateThings-Enterprise-Stack-Srv-StackIAMRole-DBHBSMSY05AQrole.在Roles窗口中,您可以使用Search栏找到Things-Enterprise-Stack-Srv-StackIAMRole-DBHBSMSY05AQ角色。 - Once you find the role, you click on Add inline policy .找到角色后,单击Add inline policy 。
- Once
Create policywindow shows, you can go toJSON taband add the following JSON policy:Create policy窗口显示后,您可以转到JSON tab并添加以下 JSON 策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::446971925991:role/Bosh-Parking-IOT-Stack-TheThingsStackRoleCD9FBAD2-C44RRJJ53M93"
}
]
}
- Then click
Review Policy, name the policy (eg PolicyToAssumeRole) andCreate policy然后单击Review Policy,命名策略(例如 PolicyToAssumeRole)并Create policy
However, based on your policy names (eg Stack-Srv-StackIAMRole) it is possible that they have been create by CloudFormation .然而,根据您的策略名称(如堆栈-SRV-StackIAMRole)有可能,他们已经通过CloudFormation创建。 If this is the case, then manually changing the roles as described above is a bad practice and will lead to drift .如果是这种情况,那么如上所述手动更改角色是一种不好的做法,会导致漂移。 Any changes to resources created by CloudFormation should be done using CloudFormation .对 CloudFormation 创建的资源的任何更改都应使用 CloudFormation 完成。 Sadly, your question does not provide any details about CloudFormation templates used, therefore its difficult to comment on that more.遗憾的是,您的问题没有提供有关所用 CloudFormation 模板的任何详细信息,因此很难对此发表更多评论。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.