[英]AWS associate-iam-instance-profile function, what IAM role is required for the instance?
I am currently trying to assign an IAM role to one of my instances via AWS CLI.我目前正在尝试通过 AWS CLI 将 IAM 角色分配给我的一个实例。 The CLI is running on a linux instance that currently has Admin privileges for EC2 (AmazonEC2FullAccess policy).
CLI 在 linux 实例上运行,该实例当前具有 EC2 的管理员权限(AmazonEC2FullAccess 策略)。
I am trying to run the following command:我正在尝试运行以下命令:
aws ec2 associate-iam-instance-profile --instance-id i-0xxxxxxxxxxx4 --iam-instance-profile Name=AmazonSSMRoleForInstancesQuickSetup
But I get the following error:但我收到以下错误:
An error occurred (UnauthorizedOperation) when calling the AssociateIamInstanceProfile operation: You are not authorized to perform this operation. Encoded authorization failure message: <hash>
I am struggling to find what policy is required to allow this action from my AWS CLI instance.我正在努力寻找允许从我的 AWS CLI 实例执行此操作所需的策略。 I even tried giving it the nuclear
IAMFullAccess
policy but I still got permission denied.我什至尝试给它核
IAMFullAccess
政策,但我仍然被拒绝许可。
I've been trying to google it for a while now but I wasn't able to solve this problem by myself, please help.我一直在尝试谷歌一段时间,但我自己无法解决这个问题,请帮助。
Could you please tell me what policy is required in order to allow my instance to run aws ec2 associate-iam-instance-profile
?您能否告诉我需要什么策略才能允许我的实例运行
aws ec2 associate-iam-instance-profile
?
Additionally, is there a quick/easy way to find out what permissions are required to use certain aws cli functions?此外,是否有一种快速/简单的方法可以找出使用某些 aws cli 功能所需的权限?
Thanks to the articles posted by @luk2302 I was able to solve this issue.感谢@luk2302 发布的文章,我能够解决这个问题。 I hope that it will help at least one person in the future!
我希望它在未来至少能帮助一个人!
I was able to solve it by adding an in-line policy to my machine's role via IAM.我能够通过 IAM 向我的机器角色添加内联策略来解决它。 I am refering to the role attached to the machine I run AWS Cli on.
我指的是附加到我运行 AWS Cli 的机器上的角色。
The in-line policy json:内联策略 json:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::00000000000:role/AmazonSSMRoleForInstancesQuickSetup"
}
]
}
This in-line policy allowed me to assign the AmazonSSMRoleForInstancesQuickSetup
role (and only this one) to the instances I create via terraform.这个内联策略允许我将
AmazonSSMRoleForInstancesQuickSetup
角色(并且只有这个角色)分配给我通过 terraform 创建的实例。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.