Amazon web services 地形平面图命令失败
我试图使用不同的用户和自定义策略来执行Terraform plan命令,但我无法找出运行此命令时缺少的策略操作。我不想允许Amazon web services 地形平面图命令失败,amazon-web-services,amazon-iam,terraform,terraform-provider-aws,Amazon Web Services,Amazon Iam,Terraform,Terraform Provider Aws,我试图使用不同的用户和自定义策略来执行Terraform plan命令,但我无法找出运行此命令时缺少的策略操作。我不想允许ec2: 资源已经在运行,我们只是尝试将代码移动到另一个项目 当我使用ec2:权限运行计划时,它工作正常 错误: Error refreshing state: 2 error(s) occurred: * module.mesos.aws_instance.master: 3 error(s) occurred: * module.mesos.
ec2:
资源已经在运行,我们只是尝试将代码移动到另一个项目
当我使用ec2:
权限运行计划时,它工作正常
错误:
Error refreshing state: 2 error(s) occurred:
* module.mesos.aws_instance.master: 3 error(s) occurred:
* module.mesos.aws_instance.master[2]: aws_instance.master.2: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: 484574e1-0dd0-4c43-b829-42c034763bad
* module.mesos.aws_instance.master[1]: aws_instance.master.1: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: e0499d28-d55c-46e8-af1a-91262427b422
* module.mesos.aws_instance.master[0]: aws_instance.master.0: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: f1fb50ac-7bb5-47d6-b1b4-b24b38a61fdd
* module.mesos.data.aws_ami.agent: 1 error(s) occurred:
* module.mesos.data.aws_ami.agent: data.aws_ami.agent: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: a7dcf75b-30d1-4c74-8c30-a002644db313
代码:
read方法(在刷新状态时调用)调用descripbeinstances
,descripbeinstanceAttribute
,descripbeaminstanceprofileassociations
需要ec2:descripbeinstances
的端点,ec2:descripbeinstanceAttribute
和ec2:descripbeiaminstanceprofileassociations
调用需要执行ec2:descripbeimages
IAM操作的descripbeimages
端点
因此,您缺少ec2:descripbeinstanceattribute
(您有ec2:descripbeinstanceattributes
,这不是有效的操作)和ec2:descripbeimage
Terraform发出的调用可以通过查看源代码(和)来发现,而相关IAM操作可以在中找到
如果有很好的理由不允许使用ec2:descripe*
,我会感到惊讶,因为这些只是只读操作,不应该暴露任何敏感的内容。读取方法(在刷新状态时调用)调用descripbeinstances
,descripbeinstanceAttribute
,descripbeaminstanceprofileassociations
分别需要ec2:descripbeinstances
、ec2:descripbeinstanceAttribute
和ec2:descripbeaminstanceprofileassociations
的端点
调用需要执行ec2:descripbeimages
IAM操作的descripbeimages
端点
因此,您缺少ec2:descripbeinstanceattribute
(您有ec2:descripbeinstanceattributes
,这不是有效的操作)和ec2:descripbeimage
Terraform发出的调用可以通过查看源代码(和)来发现,而相关IAM操作可以在中找到
如果有一个很好的理由不允许使用ec2:descripe*
,我会感到惊讶,因为这些只是只读操作,不应该暴露任何敏感内容
{
"Sid": "gitec2",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeVolumeStatus",
"ec2:StartInstances",
"ec2:DescribeVolumes",
"ec2:RunInstances",
"ec2:StopInstances",
"ec2:AssignPrivateIpAddresses",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeSubnets",
"ec2:AttachVolume",
"ec2:DescribeRegions",
"ec2:DescribeVpcAttribute",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceStatus",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ec2:DescribeNetworkAcls",
"ec2:DescribeRouteTables",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeAddresses",
"ec2:DescribeInstanceAttributes",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateSecurityGroup",
"ec2:TerminateInstances",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeTags",
"ec2:DescribeImageAttribute",
"ec2:DescribeSecurityGroupReferences",
"ec2:AssociateIamInstanceProfile",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkGateway",
"ec2:AssociateIamInstanceProfile",
"ec2:DeleteSecurityGroup"
],
"Resource": "*"
}