我试图通过ansible使用IAM角色创建EC2实例,但我在启动新实例时遇到错误
failed: [localhost] => (item= IAMRole-1) => {"failed": true, "item": " IAMRole-1"}
msg: Instance creation failed => UnauthorizedOperation: You are not authorized to perform
this operation. Encoded authorization failure message: Ckcjt2GD81D5dlF6XakTSDypnwrgeQb0k
ouRMKh3Ol1jue553EZ7OXPt6fk1Q1-4HM-tLNPCkiX7ZgJWXYGSjHg2xP1A9LR7KBiXYeCtFKEQIC
W9cot3KAKPVcNXkHLrhREMfiT5KYEtrsA2A-xFCdvqwM2hNTNf7Y6VGe0Z48EDIyO5p5DxdNFsaSChUcb
iRUhSyRXIGWr_ZKkGM9GoyoVWCBk3Ni2Td7zkZ1EfAIeRJobiOnYXKE6Q
而iam角色具有完整的ec2访问权限,具有以下策略
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
}
]
}
请给我任何建议 .
1 回答
这里的问题不在于IAM Role for Amazon EC2本身,而是您(即您自己使用的AWS凭证)似乎缺少启动时请求的EC2实例所需的
iam:PassRole
权限,请参阅使用所需的权限部分有关Amazon EC2的角色,请致电Granting Applications that Run on Amazon EC2 Instances Access to AWS Resources了解详细信息:通过
PassRole
权限要求此间接的原因是能够限制用户在启动实例时可以将哪个角色传递给Amazon EC2实例:您可能希望阅读我对How to specify an IAM role for an Amazon EC2 instance being launched via the AWS CLI?的回答以获得更详细的解释,该解释也链接到Mike Pope关于Granting Permission to Launch EC2 Instances with IAM Roles (PassRole Permission)的好文章,该文章从AWS的角度解释了主题 .