AWS EC2:ec2的IAM策略:RequestSpotInstances

时间:2016-04-12 10:39:09

标签: amazon-web-services amazon-ec2 amazon-iam

我需要创建允许用户创建点请求的策略,但仅限于特定的子网和安全组。这就是我所做的:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:RequestSpotInstances",
            "Resource": [
                "arn:aws:ec2:us-east-1:123456789012:image/ami-*",
                "arn:aws:ec2:us-east-1:123456789012:subnet/subnet-af016c92",
                "arn:aws:ec2:us-east-1:123456789012:subnet/subnet-12a34d3c",
                "arn:aws:ec2:us-east-1:123456789012:subnet/subnet-f0e844cd",
                "arn:aws:ec2:us-east-1:123456789012:subnet/subnet-026ae728",
                "arn:aws:ec2:us-east-1:123456789012:key-pair/*",
                "arn:aws:ec2:us-east-1:123456789012:security-group/sg-b5dd94cd",
                "arn:aws:ec2:us-east-1:123456789012:security-group/sg-3bda8c42"
            ]
        }
    ]
}

但我的点请求创建仍然失败:

botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the RequestSpotInstances operation: You are not authorized to perform this operation.

RequestSpotInstances操作的最小权限子集是什么?

有可能调试这个吗?

2 个答案:

答案 0 :(得分:1)

我知道这是一个老问题,但我在我的环境中遇到了同样的问题。我的解决方案是为" PassRole"

添加IAM权限
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1479335761363",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:RequestSpotInstances",
        "ec2:RunInstances",
        "iam:PassRole"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
}

答案 1 :(得分:0)

根据EC2文档(here),ec2:RequestSpotInstances是属于“不支持的资源级权限”类别的操作。不幸的是,您必须将资源标记设置为所有资源,如下所示:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:RequestSpotInstances",
            "Resource": [ "*" ]
        }
    ]
}

就调试而言,不要忘记IAM策略模拟器,可以从AWS控制台访问=> IAM =>用户页面。