我想为我的实例的IAM角色添加权限,以允许使用Cloudwatch日志服务。在查看服务的Configuration Guide后,我看到以下段落:
The CloudWatch Logs agent supports IAM roles and users.
If your instance already has an IAM role associated with it, make sure that you include the IAM policy below.
If you don't already have an IAM role assigned to your instance,
you'll need to use your IAM credentials for the next steps because you cannot assign an IAM role to an existing instance;
you can only specify a role when you launch a new instance.
我很难确切地知道这意味着什么。当我创建新实例时,我使用CloudWatchLogsFullAccess策略和配置指南要求您添加的内联策略创建了IAM角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
}
]
}
这是一个新实例,但上面的段落让我对添加现有实例的权限感到困惑。我是否可以将CloudWatchLogsFullAccess策略添加到现有实例的角色和内联策略中?
答案 0 :(得分:2)
虽然只有在实例启动期间才能将IAM角色分配给实例,但AWS于2017年2月宣布现在可以将IAM角色替换或附加到现有实例。
使用AWS控制台:Easily Replace or Attach an IAM Role to an Existing EC2 Instance by Using the EC2 Console
使用AWS CLI :Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI