AWS CLI:创建 EC2 实例并附加实例配置文件(未经授权)
[英]AWS CLI: create EC2 instance and attach instance profile (unauthorized)
问题描述
From an ec2 instance "A", I'd like to launch another ec2 instance "B" and assign it an instance profile.
从 ec2 实例“A”,我想启动另一个 ec2 实例“B”并为其分配一个实例配置文件。
I am able to create the new instance "B" without an instance profile:我可以在没有实例配置文件的情况下创建新实例“B”:
aws ec2 run-instances --image-id ami-<redacted> --count 1 --instance-type t2.micro --key-name <redacted> --security-group-ids sg-<redacted> --subnet-id subnet-<redacted>
However, when I add the --iam-instance-profile Name="<redacted>" flag to attach the instance profile, I receive an error:但是,当我添加--iam-instance-profile Name="<redacted>"标志以附加实例配置文件时,我收到错误消息:
An error occurred (UnauthorizedOperation) when calling the RunInstances operation:
You are not authorized to perform this operation. Encoded authorization failure message: <redacted>
It guess the instance profile that is attached to instance "A" (and used to create instance "B") is lacking some resource permissions, but I cannot come up with the solution.它猜测附加到实例“A”(并用于创建实例“B”)的实例配置文件缺少一些资源权限,但我无法提出解决方案。
I decoded the failure message ( aws sts decode-authorization-message --encoded-message <message> ), but I still don't get the point:我解码了失败消息( aws sts decode-authorization-message --encoded-message <message> ),但我仍然不明白这一点:
{
"DecodedMessage":
"{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"<redacted>\",\"arn\":\"arn:aws:sts::<redacted>:assumed-role/<redacted>/<redacted>\"},\"action\":\"iam:PassRole\",\"resource\":\"arn:aws:iam::<redacted>:role/<redacted>\",\"conditions\":{\"items\":[{\"key\":\"aws:Region\",\"values\":{\"items\":[{\"value\":\"eu-central-1\"}]}},{\"key\":\"aws:Service\",\"values\":{\"items\":[{\"value\":\"ec2\"}]}},{\"key\":\"aws:Resource\",\"values\":{\"items\":[{\"value\":\"role/<redacted>\"}]}},{\"key\":\"iam:RoleName\",\"values\":{\"items\":[{\"value\":\"<redacted>\"}]}},{\"key\":\"aws:Type\",\"values\":{\"items\":[{\"value\":\"role\"}]}},{\"key\":\"aws:Account\",\"values\":{\"items\":[{\"value\":\"<redacted>\"}]}},{\"key\":\"aws:ARN\",\"values\":{\"items\":[{\"value\":\"arn:aws:iam::<redacted>:role/<redacted>\"}]}}]}}}"
}
What am I missing?我错过了什么?
1 个解决方案
解决方案1
2 已采纳 2021-09-29 16:53:02
The IAM principal (typically an IAM role) associated with instance A needs permission to pass the IAM role associated with your chosen profile to the AWS EC2 service so that instance B can be launched with that chosen profile/role.与实例 A 关联的 IAM 委托人(通常是 IAM 角色)需要将与您选择的配置文件关联的 IAM 角色传递给 AWS EC2 服务的权限,以便可以使用该选择的配置文件/角色启动实例 B。
The reason that this permission is required is to prevent one role from launching compute with another role that confers elevated permissions (this is called 'privilege escalation').需要此权限的原因是为了防止一个角色使用另一个角色启动计算,该角色授予提升的权限(这称为“特权升级”)。
Add something like the following to the policies associated with the IAM role that instance A was launched with:将如下内容添加到与启动实例 A 的 IAM 角色关联的策略中:
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:::your-account:role/your-role"
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.