我正在尝试创建一个策略,以允许从Web和具有特定imageid的cloudformation启动ec2向导,为任何与该策略相关联的用户键入实例t2.micro。我需要使用启动wizzard或cloudformation的Web浏览器来创建ec2实例(我之前说过),没有aws cli,之前我没有说过
我有这个模板
---
AWSTemplateFormatVersion: '2010-09-09'
Description: ---
Policita para usuarios test
Parameters:
GroupTest1Parameter:
Type: String
Default: GroupTest1
Description: Este es el valor de entrada GroupTest1Parameter
Resources:
PolictyTest1:
Type: AWS::IAM::Policy
Properties:
PolicyName: PolictyTest1
Groups:
- Fn::ImportValue: !Sub "${GroupTest1Parameter}-VPCID"
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ec2:DescribeInstances
- ec2:DescribeImages
- ec2:DescribeKeyPairs
- ec2:DescribeVpcs
- ec2:DescribeSubnets
- ec2:DescribeSecurityGroups
- ec2:CreateSecurityGroup
- ec2:AuthorizeSecurityGroupIngress
- ec2:CreateKeyPair
Resource: '*'
- Effect: Allow
Action: ec2:RunInstances
Resource:
- arn:aws:ec2:us-east-1:*:network-interface/*
- arn:aws:ec2:us-east-1:*:volume/*
- arn:aws:ec2:us-east-1:*:key-pair/*
- arn:aws:ec2:us-east-1:*:security-group/*
- arn:aws:ec2:us-east-1:*:subnet/*
- arn:aws:ec2:sa-east-1::image/ami-*
- arn:aws:ec2:us-east-1:*:instance/*
- Effect: Allow
Action: ec2:RunInstances
Resource: arn:aws:ec2:us-east-1:*:instance/*
Condition:
StringEquals:
ec2:InstanceType": t2.micro
Outputs:
PolictyTest1:
Description: politica que deniega
Value: !Ref PolictyTest1
Export:
Name: !Sub "${AWS::StackName}-VPCID"
我将其用作参考文档 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-ec2-console.html
但是当我尝试从使用该策略的用户启动向导时,会出现此错误
You are not authorized to perform this operation. Encoded authorization failure message: (encripted code)
Hide launch log
Creating security groups
Successful (sg-918298001)
Authorizing inbound rules
Successful
Initiating launches
FailureRetry
我想念什么? 我想通了
操作:ec2:RunInstances 资源:“ *”
一切都很好,但是当我设置指定的资源时,出现下面提到的错误。
我正在尝试遵循此示例
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:CreateKeyPair",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action":"ec2:RunInstances",
"Resource": [
"arn:aws:ec2:sa-east-1:111122223333:network-interface/*",
"arn:aws:ec2:sa-east-1:111122223333:volume/*",
"arn:aws:ec2:sa-east-1:111122223333:key-pair/*",
"arn:aws:ec2:sa-east-1:111122223333:security-group/*",
"arn:aws:ec2:sa-east-1:111122223333:subnet/subnet-1a2b3c4d"
]
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:sa-east-1:111122223333:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": "t2.micro"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:sa-east-1::image/ami-*"
],
"Condition": {
"StringEquals": {
"ec2:Owner": "amazon"
}
}
}
]
}
它来自 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-ec2-console.html
(限制对特定实例类型,子网和区域的访问)