创建启用 ssm 的 ec2 实例
[英]create ec2 instance with ssm enabled
问题描述
I am creating an EC2 instance with SSM attached to the instance.
我正在创建一个附加了 SSM 的 EC2 实例。
def createInstances(self):
instances = self.ec2_client.create_instances(
ImageId="ami-09e67e426f25ce0d7", # Ubuntu Server 20.04 LTS (HVM), SSD Volume Type
MinCount=1,
MaxCount=1,
InstanceType="m4.2xlarge",
KeyName="ec2-key-pair",
IamInstanceProfile={
'Arn': 'arn:aws:iam::aws:instance-profile/AmazonEC2RoleforSSM',
'Name': 'AmazonEC2RoleforSSM'
},
DryRun=True,
TagSpecifications=[
{
'ResourceType': 'instance',
'Tags': [
{
'Key': 'department',
'Value': 'dev'
},
]
},
],
)
print(instances["Instances"][0])
I am getting an error as:我收到一个错误:
botocore.exceptions.ClientError: An error occurred (InvalidParameterCombination) when calling the RunInstances operation: The parameter 'iamInstanceProfile.name' may not be used in combination with 'iamInstanceProfile.arn'
when I removed 'iamInstanceProfile.name' I got another error as:当我删除“iamInstanceProfile.name”时,出现另一个错误:
botocore.exceptions.ClientError: An error occurred (InvalidParameterValue) when calling the RunInstances operation: Value (arn:aws:iam::aws:instance-profile/AmazonEC2RoleforSSM) for parameter iamInstanceProfile.arn is invalid. Invalid IAM Instance Profile ARN
2 个解决方案
解决方案1
1 2021-08-19 20:54:20
I think there are a couple of things going on.我认为有几件事正在发生。 First, you have to create the instance profile for SSM in your account.首先,您必须在您的帐户中为 SSM 创建实例配置文件。 It's not a standard resource managed by AWS that you can just refer to.它不是您可以参考的由 AWS 管理的标准资源。 If you haven't yet, see the SSM setup instructions for creating an instance profile .如果您还没有,请参阅SSM setup instructions for creating an instance profile 。 As noted there, if you went through SSM Quick Setup, it created the instance profile for you.如此处所述,如果您通过 SSM 快速设置,它会为您创建实例配置文件。 Its ARN would probably be arn:aws:iam::[your_account_number]:instance-profile/AmazonSSMRoleForInstancesQuickSetup .它的 ARN 可能是arn:aws:iam::[your_account_number]:instance-profile/AmazonSSMRoleForInstancesQuickSetup 。 If you haven't gone through SSM Quick Setup, you'll either need to do so or create the role and instance profile yourself.如果您尚未完成 SSM 快速设置,则需要完成或自行创建角色和实例配置文件。
Note that if you create a role through the console, the console creates an instance profile for you (if the role is associated with EC2) with the same name as the role.请注意,如果您通过控制台创建角色,控制台会为您创建一个与角色同名的实例配置文件(如果该角色与 EC2 相关联)。 If you create a role using CLI, API, or CDK, you'll need to create the instance profile separately.如果您使用 CLI、API 或 CDK 创建角色,则需要单独创建实例配置文件。 Either way, you'll need to assign the right IAM policies to the role.无论哪种方式,您都需要为角色分配正确的 IAM 策略。
Second, despite the name, AmazonEC2RoleforSSM is an IAM Policy , not a role...and it's deprecated.其次,尽管有名称,但AmazonEC2RoleforSSM是一个 IAM Policy ,而不是一个角色......并且它已被弃用。 It's been replaced by a set of policies that provide finer-grained control over SSM permissions.它已被一组策略所取代,这些策略对 SSM 权限提供更细粒度的控制。 See this AWS Management and Governance Blog on managed instance policy best practices for details.有关详细信息,请参阅有关托管实例策略最佳实践的AWS 管理和治理博客。 So when you set up your role, you'll need to assign the appropriate SSM policies to it.因此,当您设置角色时,您需要为其分配适当的 SSM 策略。
解决方案2
0 2021-08-19 13:59:13
try IamInstanceProfile = { 'Name': 'AmazonEC2RoleforSSM' } .试试IamInstanceProfile = { 'Name': 'AmazonEC2RoleforSSM' } 。
Your Instance Profile ARN is indeed invalid.您的实例配置文件 ARN 确实无效。 It should be arn:aws:iam::XXXXXXXXXXXX:instanceprofile/AmazonEC2RoleforSSM where XXXXXXXXXXXX represents your AWS account number.它应该是arn:aws:iam::XXXXXXXXXXXX:instanceprofile/AmazonEC2RoleforSSM ,其中 XXXXXXXXXXXX 代表您的 AWS 帐号。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.