Amazon web services 特定EC2服务器的AWS IAM用户权限不工作
我试图限制用户启动/停止特定EC2实例(TESTSYS),为此,我创建了以下IAM策略并分配给测试用户(TESTUSER): 当我以该测试用户身份登录并尝试启动“TESTSYS”实例时,我收到错误消息Amazon web services 特定EC2服务器的AWS IAM用户权限不工作,amazon-web-services,amazon-ec2,amazon-iam,Amazon Web Services,Amazon Ec2,Amazon Iam,我试图限制用户启动/停止特定EC2实例(TESTSYS),为此,我创建了以下IAM策略并分配给测试用户(TESTUSER): 当我以该测试用户身份登录并尝试启动“TESTSYS”实例时,我收到错误消息您无权执行此操作。编码授权失败消息:。以下是解码信息: { "DecodedMessage": { "allowed": false, "explicitDeny": false, "matchedStatements": { "items
您无权执行此操作。编码授权失败消息:{
"DecodedMessage": {
"allowed": false,
"explicitDeny": false,
"matchedStatements": {
"items": []
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "ABCDEFGHIJK0123456789",
"name": "testuser",
"arn": "arn:aws:iam::XXXXXXXXXXXX:user/testuser"
},
"action": "ec2:StopInstances",
"resource": "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-abcdefgh012345678",
"conditions": {
"items": [
{
"key": "ec2:Tenancy",
"values": {
"items": [
{
"value": "default"
}
]
}
},
{
"key": "ec2:PlacementGroup",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:placement-group/App Servers"
}
]
}
},
{
"key": "XXXXXXXXXXXX:Name",
"values": {
"items": [
{
"value": "TESTSYS"
}
]
}
},
{
"key": "ec2:ResourceTag/System",
"values": {
"items": [
{
"value": "TESTSYS"
}
]
}
},
{
"key": "XXXXXXXXXXXX:System",
"values": {
"items": [
{
"value": "TESTSYS"
}
]
}
},
{
"key": "ec2:AvailabilityZone",
"values": {
"items": [
{
"value": "us-east-1a"
}
]
}
},
{
"key": "ec2:Region",
"values": {
"items": [
{
"value": "us-east-1"
}
]
}
},
{
"key": "ec2:ResourceTag/Name",
"values": {
"items": [
{
"value": "TESTSYS"
}
]
}
},
{
"key": "ec2:ebsOptimized",
"values": {
"items": [
{
"value": "true"
}
]
}
},
{
"key": "ec2:InstanceType",
"values": {
"items": [
{
"value": "c4.large"
}
]
}
},
{
"key": "ec2:RootDeviceType",
"values": {
"items": [
{
"value": "ebs"
}
]
}
},
{
"key": "ec2:InstanceProfile",
"values": {
"items": [
{
"value": "arn:aws:iam::XXXXXXXXXXXX:instance-profile/EC2_TESTSYS"
}
]
}
}
]
}
}
}
}
StartInstanceStopInstance谢谢 您指定的是可用区域,而不是区域。尝试使用
us-east-1"Resource": "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-abcdefgh012345678",
"Resource": "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-abcdefgh012345678",