AWS CloudFormation:"密钥对___不存在"新创建的EC2密钥对的错误

时间:2018-05-02 04:00:53

标签: amazon-web-services amazon-ec2 aws-lambda amazon-cloudformation

我使用自定义CloudFormation资源为自动安装生成EC2密钥对。我试图为高度自动化的服务器设置删除尽可能多的手动步骤。以下是CloudFormation模板中包含相关代码的部分:

LambdaRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Action:
            - sts:AssumeRole
          Effect: Allow
          Principal:
            Service:
              - lambda.amazonaws.com

LambdaPolicy:
  Type: AWS::IAM::Policy
  DependsOn:
    - LambdaRole
  Properties:
    PolicyName: CFNCustomSecretProviderPolicy
    PolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Effect: Allow
          Action:
            - iam:CreateAccessKey
            - iam:DeleteAccessKey
            - iam:UpdateAccessKey
            - ssm:PutParameter
            - ssm:GetParameter
            - ssm:DeleteParameter
            - ec2:ImportKeyPair
            - ec2:DeleteKeyPair
          Resource:
            - '*'
        - Effect: Allow
          Action:
            - kms:Encrypt
          Resource:
            - '*'
        - Action:
            - logs:*
          Resource: arn:aws:logs:*:*:*
          Effect: Allow
    Roles:
      - !Ref 'LambdaRole'

CFNSecretProvider:
  Type: AWS::Lambda::Function
  DependsOn:
    - LambdaPolicy
  Properties:
    Description: CloudFormation Custom:Secret implementation
    Code:
      S3Bucket: !Sub 'binxio-public-${AWS::Region}'
      S3Key: lambdas/cfn-secret-provider-0.11.0.zip
    Handler: secrets.handler
    MemorySize: 128
    Timeout: 30
    Role: !GetAtt 'LambdaRole.Arn'
    Runtime: python2.7

PrivateKey:
  Type: Custom::RSAKey
  DependsOn: CFNSecretProvider
  Properties:
    Name: /mainframe/onyx-private-key
    KeyAlias: alias/aws/ssm
    ServiceToken: !Join
      - ":"
      - - arn:aws:lambda
        - !Ref "AWS::Region"
        - !Ref "AWS::AccountId"
        - !Ref CFNSecretProvider

CustomKeyPair:
  Type: Custom::KeyPair
  DependsOn:
    - CFNSecretProvider
    - PrivateKey
  Properties:
    Name: CustomKeyPair
    PublicKeyMaterial: !GetAtt
      - PrivateKey
      - PublicKey
    ServiceToken: !Join
      - ":"
      - - arn:aws:lambda
        - !Ref "AWS::Region"
        - !Ref "AWS::AccountId"
        - !Ref CFNSecretProvider

EC2Instance:
  Type: AWS::EC2::Instance
  DependsOn:
   - CustomKeyPair
   - InstanceProfile
  Properties:
    IamInstanceProfile: !Ref InstanceProfile
    InstanceType: !Ref InstanceType
    ImageId: !FindInMap [AWSRegionToAMI, !Ref "AWS::Region", AMI]
    KeyName: !Ref CustomKeyPair

...

在创建实例之前,其中的所有内容似乎都很有效。它没有声称密钥对不存在,即使密钥对在运行后就存在,我可以查询它:

∴ aws ec2 describe-key-pairs --region=us-east-2 --profile=mainframe- 
personal
{
    "KeyPairs": [
        {
            "KeyFingerprint": "90:42:11:40:a5:9b:66:af:78:ce:b4:d1:54:07:95:27",
            "KeyName": "CustomKeyPair"
        },
        {
            "KeyFingerprint": "27:5c:bf:4a:b2:f6:75:3b:8c:c3:1b:57:0d:7e:28:de:8e:cd:90:69",
            "KeyName": "default"
        }
    ]
}

我在CloudFormation事件日志中遇到的错误是密钥对' arn:aws:ec2:us-east-2:685716241758:keypair / CustomKeyPair'不存在。该ARN正是资源列表中显示的内容。 CloudFormation是否有某些原因无法找到此密钥对?

1 个答案:

答案 0 :(得分:2)

AWS::EC2::Instance - AWS CloudFormation文档说:

  

KeyName:提供Amazon EC2密钥对的名称

错误消息表明已传递 ARN 。相反,请尝试传递名称(ARN的最后一部分)。