我使用自定义CloudFormation资源为自动安装生成EC2密钥对。我试图为高度自动化的服务器设置删除尽可能多的手动步骤。以下是CloudFormation模板中包含相关代码的部分:
LambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
LambdaPolicy:
Type: AWS::IAM::Policy
DependsOn:
- LambdaRole
Properties:
PolicyName: CFNCustomSecretProviderPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- iam:CreateAccessKey
- iam:DeleteAccessKey
- iam:UpdateAccessKey
- ssm:PutParameter
- ssm:GetParameter
- ssm:DeleteParameter
- ec2:ImportKeyPair
- ec2:DeleteKeyPair
Resource:
- '*'
- Effect: Allow
Action:
- kms:Encrypt
Resource:
- '*'
- Action:
- logs:*
Resource: arn:aws:logs:*:*:*
Effect: Allow
Roles:
- !Ref 'LambdaRole'
CFNSecretProvider:
Type: AWS::Lambda::Function
DependsOn:
- LambdaPolicy
Properties:
Description: CloudFormation Custom:Secret implementation
Code:
S3Bucket: !Sub 'binxio-public-${AWS::Region}'
S3Key: lambdas/cfn-secret-provider-0.11.0.zip
Handler: secrets.handler
MemorySize: 128
Timeout: 30
Role: !GetAtt 'LambdaRole.Arn'
Runtime: python2.7
PrivateKey:
Type: Custom::RSAKey
DependsOn: CFNSecretProvider
Properties:
Name: /mainframe/onyx-private-key
KeyAlias: alias/aws/ssm
ServiceToken: !Join
- ":"
- - arn:aws:lambda
- !Ref "AWS::Region"
- !Ref "AWS::AccountId"
- !Ref CFNSecretProvider
CustomKeyPair:
Type: Custom::KeyPair
DependsOn:
- CFNSecretProvider
- PrivateKey
Properties:
Name: CustomKeyPair
PublicKeyMaterial: !GetAtt
- PrivateKey
- PublicKey
ServiceToken: !Join
- ":"
- - arn:aws:lambda
- !Ref "AWS::Region"
- !Ref "AWS::AccountId"
- !Ref CFNSecretProvider
EC2Instance:
Type: AWS::EC2::Instance
DependsOn:
- CustomKeyPair
- InstanceProfile
Properties:
IamInstanceProfile: !Ref InstanceProfile
InstanceType: !Ref InstanceType
ImageId: !FindInMap [AWSRegionToAMI, !Ref "AWS::Region", AMI]
KeyName: !Ref CustomKeyPair
...
在创建实例之前,其中的所有内容似乎都很有效。它没有声称密钥对不存在,即使密钥对在运行后就存在,我可以查询它:
∴ aws ec2 describe-key-pairs --region=us-east-2 --profile=mainframe-
personal
{
"KeyPairs": [
{
"KeyFingerprint": "90:42:11:40:a5:9b:66:af:78:ce:b4:d1:54:07:95:27",
"KeyName": "CustomKeyPair"
},
{
"KeyFingerprint": "27:5c:bf:4a:b2:f6:75:3b:8c:c3:1b:57:0d:7e:28:de:8e:cd:90:69",
"KeyName": "default"
}
]
}
我在CloudFormation事件日志中遇到的错误是密钥对' arn:aws:ec2:us-east-2:685716241758:keypair / CustomKeyPair'不存在。该ARN正是资源列表中显示的内容。 CloudFormation是否有某些原因无法找到此密钥对?
答案 0 :(得分:2)
AWS::EC2::Instance - AWS CloudFormation文档说:
KeyName:提供Amazon EC2密钥对的名称。
错误消息表明已传递 ARN 。相反,请尝试传递名称(ARN的最后一部分)。