我可以在管理控制台中使用iam-role启动ec2-instance。 但我不知道如何从aws-ruby-sdk启动带有iam-role的ec2-instance
iam-role " test"'s Policy is here
"Effect": "Allow",
"Action": "*",
"Resource": "*"
结果如下:
/var/lib/gems/1.8/gems/aws-sdk-1.7.1/lib/aws/core/client.rb:318:in `return_or_raise':
You are not authorized to perform iam:PassRole with arn:aws:iam::xxxxxxxxxxx:role/test
(AWS::EC2::Errors::UnauthorizedOperation)
答案 0 :(得分:9)
您在Ruby脚本中使用的凭据无权使用“test”IAM Role启动实例。您需要修改此用户的策略,并为其授予IAM:PassRole权限,例如:
{
"Statement": [{
"Effect":"Allow",
"Action":"ec2:RunInstances",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"arn:aws:iam::xxxxxxxxxxx:role/test"
}]
}
这是一项安全功能 - 可能会错误配置IAM以允许权限提升,因此AWS使用“默认安全”策略。
您还可以使用此策略允许您的用户使用任何IAM角色启动实例 - 但在执行此操作之前,您应该考虑安全隐患:
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"*"
}]
参考:http://docs.amazonwebservices.com/IAM/latest/UserGuide/role-usecase-ec2app.html