我需要创建允许用户创建点请求的策略,但仅限于特定的子网和安全组。这就是我所做的:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RequestSpotInstances",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:image/ami-*",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-af016c92",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-12a34d3c",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-f0e844cd",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-026ae728",
"arn:aws:ec2:us-east-1:123456789012:key-pair/*",
"arn:aws:ec2:us-east-1:123456789012:security-group/sg-b5dd94cd",
"arn:aws:ec2:us-east-1:123456789012:security-group/sg-3bda8c42"
]
}
]
}
但我的点请求创建仍然失败:
botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the RequestSpotInstances operation: You are not authorized to perform this operation.
RequestSpotInstances操作的最小权限子集是什么?
有可能调试这个吗?
答案 0 :(得分:1)
我知道这是一个老问题,但我在我的环境中遇到了同样的问题。我的解决方案是为" PassRole"
添加IAM权限{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1479335761363",
"Action": [
"ec2:DescribeInstances",
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "*"
}
}
答案 1 :(得分:0)
根据EC2文档(here),ec2:RequestSpotInstances是属于“不支持的资源级权限”类别的操作。不幸的是,您必须将资源标记设置为所有资源,如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RequestSpotInstances",
"Resource": [ "*" ]
}
]
}
就调试而言,不要忘记IAM策略模拟器,可以从AWS控制台访问=> IAM =>用户页面。