Type: 'AWS::IAM::Role'
Properties:
RoleName: !Join
- '-'
- - !Ref Product
- !Ref Environment
- !Ref EnvironmentNo
- role
- svn
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: S3Download
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 's3:GetObject'
- ec2:DescribeInstanceAttribute
- ec2:DescribeInstances
- ec2:DescribeInternetGateways
- ec2:DescribeKeyPairs
- ec2:DescribeNetworkAcls
- ec2:DescribePlacementGroups
- ec2:DescribeRegions
- ec2:DescribeRouteTables
- ec2:DescribeSecurityGroups
- ec2:DescribeSnapshotAttribute
- ec2:DescribeSnapshots
- ec2:DescribeSpotDatafeedSubscription
- ec2:DescribeSpotInstanceRequests
- ec2:DescribeSpotPriceHistory
- ec2:DescribeSubnets
- ec2:DescribeTags
- ec2:DescribeVolumes
- ec2:DescribeVpcs
- ec2:DescribeVpnConnections
- ec2:DescribeVpnGateways
- ec2:GetConsoleOutput
- ec2:StartInstances
- ec2:RunInstances
- ec2:StopInstances
- ec2:UnmonitorInstances
- ec2:DescribeAddresses
Resource:
- !Join
- ''
- - 'arn:aws:s3:::'
- !Ref Product
- '-'
- !Ref Environment
- '-'
- !Ref EnvironmentNo
- '-'
- 'bucket'
- '-'
- 'deployment/common/*'
- Effect: Allow
Action:
- 's3:GetObject'
Resource:
- !Join
- ''
- - 'arn:aws:s3:::'
- !Ref Product
- '-'
- !Ref Environment
- '-'
- !Ref EnvironmentNo
- '-'
- 'bucket'
- '-'
- 'deployment/*'
我在userdata64 launchconfiguration下运行脚本
"$instanceId = Invoke-RestMethod -Uri http://169.254.169.254/latest/meta-data/instance-id \n";
$available = Get-EC2Volume -Filter @{ Name="status"; Values="available" }
Write-Output $available;
"Add-EC2Volume -instanceId $instanceId -VolumeId vol-xxxxxxxx -Device /dev/sdb -Region us-west-1\n";
"Add-EC2Volume -instanceId $instanceId -VolumeId vol-xxxxxxxx -Device /dev/sdc -Region us-west-1\n";
"Get-Disk | %{ Set-Disk -Number $_.Number -IsOffline $False }\n";
因为我收到了未经授权的错误“Get-EC2Instance:您无权执行此操作。”所以我添加了所有 - ec2:在我的政策中描述*,但问题仍然没有解决。我经历了这么多论坛,但无法确定我对IAM政策的错误。