Amazon ec2 Boto3自定义服务生因没有资源权限而被拒绝

我正在尝试创建一个自定义服务程序，以便在rds db群集恢复到某个时间点时恢复boto3脚本。（我正试图使这种方法适应我的需要：）除了关于定制服务员的薄文档之外，这似乎应该是简单的，但我有一个权限问题。我正在运行脚本的EC2容器具有运行

rds:DescribeDBClusters

的权限，我可以在脚本中使用该权限，如下所示：

# Check on the cluster
response = rds.describe_db_clusters(
    DBClusterIdentifier=db_cluster_identifier,
)
status = response['DBClusters'][0]['Status']
print(status)
available

但是，当我设置一个自定义服务员来监视此操作时，我会出现以下错误：

botocore.exceptions.WaiterError: Waiter DbClusterRestored failed: User: arn:aws:sts::123456789012:assumed-role/OrgIamRole/i-1234567890abcdef is not authorized to perform: rds:DescribeDBClusters

也许我遗漏了一些明显的东西，但我不明白为什么服务员遗漏了创建服务员的脚本允许做的事情的权限

容器权限如下所示：

"OrgIamPolicy": {
  "Type": "AWS::IAM::Policy",
  "Properties": {
    "PolicyName": "OrgIamPolicy",
    "Roles": [
      {
        "Ref": "OrgIamRole"
      }
    ],
    "PolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": [
            "rds:DescribeDBClusters"
          ],
          "Effect": "Allow",
          "Resource": [
            "arn:aws:rds:us-east-1:123456789012:*"
          ]
        }
      ]
    }
  }
}

下面是我用于恢复集群和设置服务器的代码：

import boto3
import botocore
import os
import subprocess


rds = boto3.client('rds')

db_cluster_target_instance = 'orgstagingrdsinstance'
db_instance_identifier = 'backupinstance'
db_instance_class = 'db.t2.medium'
target_db_cluster_identifier = "org-backup-cluster"
source_db_cluster_identifier = "org-staging-rds-cluster"


# Create the cluster
response = rds.restore_db_cluster_to_point_in_time(
  DBClusterIdentifier=target_db_cluster_identifier,
  RestoreType='copy-on-write',
  SourceDBClusterIdentifier=source_db_cluster_identifier,
  UseLatestRestorableTime=True
)


# Check on the cluster
response = rds.describe_db_clusters(
    DBClusterIdentifier=db_cluster_identifier,
)
status = response['DBClusters'][0]['Status']
print(status)


# Create waiter
delay = 10
max_attempts = 30
waiter_name = "DbClusterRestored"

model = botocore.waiter.WaiterModel({
  "version": 2,
  "waiters": {
    "DbClusterRestored": {
      "operation": "DescribeDBClusters",
      "delay": delay,
      "maxAttempts": max_attempts,
      "acceptors": [
        {
          "matcher": "pathAll",
          "expected": "available",
          "state": "success",
          "argument": "DBClusters[].Status"
        },
        {
          "matcher": "pathAll",
          "expected": "deleting",
          "state": "failure",
          "argument": "DBClusters[].Status"
        },
        {
          "matcher": "pathAll",
          "expected": "creating",
          "state": "failure",
          "argument": "DBClusters[].Status"
        },
      ]
    }
  }
})

waiter = botocore.waiter.create_waiter_with_client(waiter_name, model, rds)
waiter.wait() 

显然，我有这个代码修剪，我有模糊的个人数据。抱歉，这可能会导致任何错误

---

感谢您提供的任何帮助。

好的，答案似乎很简单。问题在于请求的范围。用户有权在以下资源上运行此操作：

"Resource": [
  "arn:aws:rds:us-east-1:123456789012:*"
]

当我跑的时候

response = rds.describe_db_clusters(
    DBClusterIdentifier=db_cluster_identifier,
)

waiter = botocore.waiter.create_waiter_with_client(waiter_name, model, rds)
waiter.wait() 

我将范围限制在

arn:aws:rds:us-east-1:123456789012:

中的集群上。当我跑的时候

response = rds.describe_db_clusters(
    DBClusterIdentifier=db_cluster_identifier,
)

waiter = botocore.waiter.create_waiter_with_client(waiter_name, model, rds)
waiter.wait() 

我没有通过那个限制。我需要跑的是

waiter = botocore.waiter.create_waiter_with_client(waiter_name, model, rds)
waiter.wait(DBClusterIdentifier=db_cluster_identifier) 

这在中传递了必要的约束，并确保权限范围与请求匹配

我希望这能帮助处于类似情况的人