具有ECR IAM策略集的实例上的AWS CLI

时间:2017-02-01 14:43:04

标签: amazon-web-services amazon-ec2 amazon-iam aws-cli

我有一个IAM角色,我已经使用模拟器测试过,以提供AmazonEC2ContainerRegistryReadOnly访问权限。我已经启动了一个带有角色的ec2,我可以在EC2控制台中看到它附加到实例。当我SSH进入EC2,并尝试运行

aws ecr get-authorization-token

我收到了消息 ' AccessKeyId'

我试图做过" aws configure"并设置默认区域和输出(保持ACCESS和SECRET为空)但仍然得到相同的结果......

有人可以帮忙吗?

Screenshot of 'error'

DEBUG -

[ec2-user@ip-10-0-101-105 ~]$ aws ecr get-authorization-token

'AccessKeyId'
[ec2-user@ip-10-0-101-105 ~]$ aws ecr get-authorization-token --debug
2017-02-01 15:03:00,704 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/1.11.44 Python/2.7.12 Linux/4.4.41-36.55.amzn1.x86_64 botocore/1.5.7
2017-02-01 15:03:00,704 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['ecr', 'get-authorization-token', '--debug']
2017-02-01 15:03:00,704 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_scalar_parsers at 0x7efd7abe4578>
2017-02-01 15:03:00,704 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x7efd7b516c80>
2017-02-01 15:03:00,705 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/lib/python2.7/site-packages/botocore/data/ecr/2015-09-21/service-2.json
2017-02-01 15:03:00,712 - MainThread - botocore.hooks - DEBUG - Event service-data-loaded.ecr: calling handler <function register_retries_for_service at 0x7efd7be11488>
2017-02-01 15:03:00,712 - MainThread - botocore.handlers - DEBUG - Registering retry handlers for service: ecr
2017-02-01 15:03:00,713 - MainThread - botocore.hooks - DEBUG - Event building-command-table.ecr: calling handler <function _inject_get_login at 0x7efd7acff1b8>
2017-02-01 15:03:00,713 - MainThread - botocore.hooks - DEBUG - Event building-command-table.ecr: calling handler <function add_waiters at 0x7efd7abe8938>
2017-02-01 15:03:00,716 - MainThread - awscli.clidriver - DEBUG - OrderedDict([(u'registry-ids', <awscli.arguments.ListArgument object at 0x7efd7a87d9d0>)])
2017-02-01 15:03:00,716 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.ecr.get-authorization-token: calling handler <function add_streaming_output_arg at 0x7efd7abe4b90>
2017-02-01 15:03:00,716 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.ecr.get-authorization-token: calling handler <function add_cli_input_json at 0x7efd7b520b90>
2017-02-01 15:03:00,717 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.ecr.get-authorization-token: calling handler <function unify_paging_params at 0x7efd7ac735f0>
2017-02-01 15:03:00,719 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/lib/python2.7/site-packages/botocore/data/ecr/2015-09-21/paginators-1.json
2017-02-01 15:03:00,719 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.ecr.get-authorization-token: calling handler <function add_generate_skeleton at 0x7efd7ac5d9b0>
2017-02-01 15:03:00,719 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.ecr.get-authorization-token: calling handler <bound method CliInputJSONArgument.override_required_args of <awscli.customizations.cliinputjson.CliInputJSONArgument object at 0x7efd7a87da10>>
2017-02-01 15:03:00,719 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.ecr.get-authorization-token: calling handler <bound method GenerateCliSkeletonArgument.override_required_args of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7efd7a85a750>>
2017-02-01 15:03:00,720 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.ecr.get-authorization-token.registry-ids: calling handler <function uri_param at 0x7efd7b53aaa0>
2017-02-01 15:03:00,720 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.ecr.get-authorization-token.cli-input-json: calling handler <function uri_param at 0x7efd7b53aaa0>
2017-02-01 15:03:00,720 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.ecr.get-authorization-token.generate-cli-skeleton: calling handler <function uri_param at 0x7efd7b53aaa0>
2017-02-01 15:03:00,721 - MainThread - botocore.hooks - DEBUG - Event calling-command.ecr.get-authorization-token: calling handler <bound method GenerateCliSkeletonArgument.generate_json_skeleton of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7efd7a85a750>>
2017-02-01 15:03:00,721 - MainThread - botocore.hooks - DEBUG - Event calling-command.ecr.get-authorization-token: calling handler <bound method CliInputJSONArgument.add_to_call_parameters of <awscli.customizations.cliinputjson.CliInputJSONArgument object at 0x7efd7a87da10>>
2017-02-01 15:03:00,721 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2017-02-01 15:03:00,721 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2017-02-01 15:03:00,721 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2017-02-01 15:03:00,721 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: config-file
2017-02-01 15:03:00,722 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: ec2-credentials-file
2017-02-01 15:03:00,722 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: boto-config
2017-02-01 15:03:00,722 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: container-role
2017-02-01 15:03:00,722 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: iam-role
2017-02-01 15:03:00,725 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - INFO - Starting new HTTP connection (1): 169.254.169.254
2017-02-01 15:03:00,726 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - DEBUG - "GET /latest/meta-data/iam/security-credentials/ HTTP/1.1" 200 11
2017-02-01 15:03:00,727 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - INFO - Starting new HTTP connection (1): 169.254.169.254
2017-02-01 15:03:00,728 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - DEBUG - "GET /latest/meta-data/iam/security-credentials/jenkins-DEV HTTP/1.1" 200 255
2017-02-01 15:03:00,729 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/awscli/clidriver.py", line 197, in main
    return command_table[parsed_args.command](remaining, parsed_args)
  File "/usr/local/lib/python2.7/site-packages/awscli/clidriver.py", line 333, in __call__
    return command_table[parsed_args.operation](remaining, parsed_globals)
  File "/usr/local/lib/python2.7/site-packages/awscli/clidriver.py", line 503, in __call__
    call_parameters, parsed_globals)
  File "/usr/local/lib/python2.7/site-packages/awscli/clidriver.py", line 620, in invoke
    verify=parsed_globals.verify_ssl)
  File "/usr/local/lib/python2.7/site-packages/botocore/session.py", line 825, in create_client
    credentials = self.get_credentials()
  File "/usr/local/lib/python2.7/site-packages/botocore/session.py", line 449, in get_credentials
    'credential_provider').load_credentials()
  File "/usr/local/lib/python2.7/site-packages/botocore/credentials.py", line 1083, in load_credentials
    creds = provider.load()
  File "/usr/local/lib/python2.7/site-packages/botocore/credentials.py", line 488, in load
    metadata = fetcher.retrieve_iam_role_credentials()
  File "/usr/local/lib/python2.7/site-packages/botocore/utils.py", line 203, in retrieve_iam_role_credentials
    'access_key': data[role_name]['AccessKeyId'],
KeyError: 'AccessKeyId'
2017-02-01 15:03:00,735 - MainThread - awscli.clidriver - DEBUG - Exiting with rc 255

'AccessKeyId'

编辑:

发现信任政策设置不正确。

1 个答案:

答案 0 :(得分:0)

为后代添加答案,以便其他人看到遇到此错误时该怎么办。一个EC2实例配置文件(一个IAM角色)需要允许EC2服务担当该角色,因此您将需要这样的信任策略:

"Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}