未经授权从共享私有 AMI 运行 ec2 实例
[英]Unauthorized to ec2 run-instances from shared private AMI
问题描述
I created AMI on account 183136277722. I shared it to account 574616038232. I've created iam policy to be able to run this AMI:
我在账户 183136277722 上创建了 AMI。我将其共享给账户 574616038232。我创建了 iam 策略以便能够运行此 AMI:
"Condition": {
"StringEquals": {
"ec2:Owner": [
"183136277722"
]
}
},
"Action": [
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:eu-west-1::image/ami-*",
"Effect": "Allow",
"Sid": "RunSharedAmi"
}
When I try to launch ec2 from AMI when I'm logged in account 574616038232 I get error message:当我登录帐户 574616038232 时尝试从 AMI 启动 ec2 时,我收到错误消息:
An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation. Encoded authorization failure message: Eq8rCjogNsPD8Rw45V5f7XHeFSTJ8ddXbHdtpWw7AJnEeGMVuOtk1VBe-Z1fR3ONRjcxcJEafrwaVZdyeUjw-ZNGwmDjDN3DyEysimEMNX9TQhcEhaIpUBpSrBXZutEb6cR1n5JVNak9zrcJRiuQhkJybpsPFE80epCoXJlIakq2kYk8uS8no2p28ujo0dLi4GJ63Dlq32zReA338ksB1quGfKX7HVultbfdnOAPkKih_A3HjEs59yMpZZ-l0ngtcLL6yzAcxhocQPe15nyu9S96I-8uI9hmR7HnEE24Aa9qJaj0ZiT57NFckkhVojsWmmsN8XWh02g8P1gSfyyHfPmFj9E2khxGZ9Vvc-oglx6gKbU7XHzlsOygouTD8uNutQS7OFaK_8TIKmAgYHP-CQ_AFk-X1zAbYMhs9TNt3pOu5Gz1xYKnrYUWQetf6gWmyVsQ6ioFMW9fKfFjLPrtQMtLtXqtYuteHSXt6LAWH4ZN5yJOWbHiC9ymoV05GG1UjsrNxlCU5KuS8Nhewfwefefewfwefwefewqwdwd34r23fdsacf23fv32HawKZF0bX-uXLJVSGsAV5MOk1zw6k3_Gwi7Y-ZY-1b7kmGMhYy9rjMLJvw8Q6NjOgQuHyfpeFTodgsX4A0kEuuQMf2hBcaAYCGJbHXnHGh0-5ZMHvinGNbfKtLw7gW_Hb1pmR0ujVDM2GDcdglOu99fT79zWaO9wt1jrzCUgiieIjrQhlEiaQI3uQf5idoGOovpT4EM5wR3vOIDchZqCZozndA8I-lSYS7X3wrFK0EhNq1h_X1mqSVoYUKsUVrgO6XtU2NSpeDsbEVlpjRBb4MOfDSgPumVDM_AlYnil67kFq7fv8aWVzD8cLBmYVDdKjpzrIbxDM2n04q0sAvygQbGForj791uF8SksMM-2J0N7ue5JbtbCbOsVZS9HKOMq5fOAk41wUSL5LuFQKUBEDs3vaHqzh7BUQ3vt4P7CTGsG8Vyp3yva-vd8S0HE1y0zuSTsv65XnqVSQDyZ_ZAEm6cqyBdwz2L3ZGO-_HV_AH
I decoded message and get我解码消息并得到
{ "DecodedMessage": "{"allowed":false,"explicitDeny":true,"matchedStatements":{"items":[{"statementId":"AllowLaunchOnlyFromApprovedImages","effect":"DENY","principals":{"items":[{"value":"AROCDLSOI5ZZM7QIFOITO"}]},"principalGroups":{"items":[]},"actions":{"items":[{"value":"ec2:RunInstances"}]},"resources":{"items":[{"value":"arn:aws:ec2:eu-west-1::image/ami-*"}]},"conditions":{"items":[{"key":"ec2:Owner","values":{"items":[{"value":"277688789493"},{"value":"amazon"},{"value":"aws-marketplace"},{"value":"737859062117"},{"value":"394136139437"},{"value":"851093456999"},{"value":"335031091084"},{"value":"207456136159"},{"value":"028557712108"},{"value":"164996153968"},{"value":"533600275369"},{"value":"930136447543"},{"value":"658312218119"},{"value":"687831498517"},{"value":"201245860548"},{"value":"574616038232"},{"value":"493917785438"},{"value":"378058653094"},{"value":"901455435209"},{"value":"652668783151"},{"value":"988201728534"},{"value":"669990426999"},{"value":"142986109290"}, { "DecodedMessage": "{"allowed":false,"explicitDeny":true,"matchedStatements":{"items":[{"statementId":"AllowLaunchOnlyFromApprovedImages","effect":"DENY","principals": {"items":[{"value":"AROCDLSOI5ZZM7QIFOITO"}]},"principalGroups":{"items":[]},"actions":{"items":[{"value":"ec2:RunInstances "}]},"resources":{"items":[{"value":"arn:aws:ec2:eu-west-1::image/ami-*"}]},"conditions":{" items":[{"key":"ec2:Owner","values":{"items":[{"value":"277688789493"},{"value":"amazon"},{"value": "aws-marketplace"},{"value":"737859062117"},{"value":"394136139437"},{"value":"851093456999"},{"value":"335031091084"},{"value ":"207456136159"},{"value":"028557712108"},{"value":"164996153968"},{"value":"533600275369"},{"value":"930136447543"},{"value ":"658312218119"},{"value":"687831498517"},{"value":"201245860548"},{"value":"574616038232"},{"value":"493917785438"},{"value ":"378058653094"},{"value":"901455435209"},{"value":"652668783151"},{"value":"988201728534"},{"value":"669990426999"},{"value ":"142986109290"}, {"value":"679593333241"},{"value":"309956199498"},{"value":"602401143452"},{"value":"379101102735"},{"value":"504948279284"},{"value":"951854665038"}]}}]}}]},"failures":{"items":[]},"context":{"principal":{"id":"AROCDLSOI5ZZM7QIFOITO:503217544","arn":"arn:aws:sts::574616038232:assumed-role/hc-mobil-devops/503217544"},"action":"ec2:RunInstances","resource":"arn:aws:ec2:eu-west-1::image/ami-088a17ca0987e0186","conditions":{"items":[{"key":"ec2:ImageID","values":{"items":[{"value":"ami-088a17ca0987e0186"}]}},{"key":"ec2:ImageType","values":{"items":[{"value":"machine"}]}},{"key":"aws:Resource","values":{"items":[{"value":"image/ami-088a17ca0987e0186"}]}},{"key":"aws:Account","values":{"items":[{"value":"574616038232"}]}},{"key":"ec2:IsLaunchTemplateResource","values":{"items":[{"value":"false"}]}},{"key":"ec2:RootDeviceType","values":{"items":[{"value":"ebs"}]}},{"key":"aws:Region","values":{"items":[{"value":"eu-west-1"}]}},{"key":"aws:Service","values":{"items":[{"value":"ec2"}]}},{"key {"value":"679593333241"},{"value":"309956199498"},{"value":"602401143452"},{"value":"379101102735"},{"value":"504948279284"}, {"value":"951854665038"}]}}]}}]},"failures":{"items":[]},"context":{"principal":{"id":"AROCDLSOI5ZZM7QIFOITO:503217544" "arn":"arn:aws:sts::574616038232:assumed-role/hc-mobil-devops/503217544"},"action":"ec2:RunInstances","resource":"arn:aws:ec2: eu-west-1::image/ami-088a17ca0987e0186","条件":{"items":[{"key":"ec2:ImageID","values":{"items":[{"value": "ami-088a17ca0987e0186"}]}},{"key":"ec2:ImageType","values":{"items":[{"value":"machine"}]}},{"key":" aws:Resource","values":{"items":[{"value":"image/ami-088a17ca0987e0186"}]}},{"key":"aws:Account","values":{"items ":[{"value":"574616038232"}]}},{"key":"ec2:IsLaunchTemplateResource","values":{"items":[{"value":"false"}]}}, {"key":"ec2:RootDeviceType","values":{"items":[{"value":"ebs"}]}},{"key":"aws:Region","values":{ "items":[{"value":"eu-west-1"}]}},{"key":"aws:Service","values":{"items":[{"value":"ec2 “}]}},{“钥匙":"ec2:Owner","values":{"items":[{"value":"183136277722"}]}},{"key":"ec2:Public","values":{"items":[{"value":"false"}]}},{"key":"aws:Type","values":{"items":[{"value":"image"}]}},{"key":"ec2:Region","values":{"items":[{"value":"eu-west-1"}]}},{"key":"aws:ARN","values":{"items":[{"value":"arn:aws:ec2:eu-west-1::image/ami-088a17ca0987e0186"}]}}]}}}" ":"ec2:Owner","values":{"items":[{"value":"183136277722"}]}},{"key":"ec2:Public","values":{"items" :[{"value":"false"}]}},{"key":"aws:Type","values":{"items":[{"value":"image"}]}},{ "key":"ec2:Region","values":{"items":[{"value":"eu-west-1"}]}},{"key":"aws:ARN","values ":{"items":[{"value":"arn:aws:ec2:eu-west-1::image/ami-088a17ca0987e0186"}]}}]}}}"
Why it doesn't work?为什么它不起作用? Did I miss some policies/permissions?我错过了一些政策/权限吗?
2 个解决方案
解决方案1
1 2021-10-02 19:46:29
As per the decoded message there are SCPs explicitDeny":true,"matchedStatements":{"items":[{"statementId":"**AllowLaunchOnlyFromApprovedImages**","effect":"DENY at Organization level enforced and a cause of your denial.根据解码的消息,有 SCPsexplicitDeny explicitDeny":true,"matchedStatements":{"items":[{"statementId":"**AllowLaunchOnlyFromApprovedImages**","effect":"DENY在组织级别强制执行和原因你的否认。
解决方案2
0 2020-12-02 04:29:14
You need to grant access to more Resources to allow the ec2:RunInstances call to succeed.您需要授予对更多Resources的访问权限以允许ec2:RunInstances调用成功。 Here is a helpful post with a minimal policy: Minimal IAM policy for ec2:RunInstances这是一个包含最小策略的有用帖子: ec2:RunInstances 的最小 IAM 策略
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.