Amazon web services 使用boto3 start/stop_instances命令启动和停止ec2实例所需的权限
当我尝试使用boto3的Amazon web services 使用boto3 start/stop_instances命令启动和停止ec2实例所需的权限,amazon-web-services,amazon-ec2,amazon-iam,Amazon Web Services,Amazon Ec2,Amazon Iam,当我尝试使用boto3的start\u instance命令启动我的实例时,我遇到了一个问题,我得到了错误: botocore.exceptions.ClientError:调用StartInstances操作时发生错误(未经授权的操作):您无权执行此操作 经过几个小时的挖掘,我仍然无法获得该命令正确运行的正确权限。我已经解码了错误消息,我得到了一个很大的操作列表,我猜可能需要将这些操作添加到实例IAM角色中。我已经将这两个角色添加到ec2实例中,但是我仍然没有运气 "Version&
start\u instance
命令启动我的实例时,我遇到了一个问题,我得到了错误:
botocore.exceptions.ClientError:调用StartInstances操作时发生错误(未经授权的操作):您无权执行此操作
经过几个小时的挖掘,我仍然无法获得该命令正确运行的正确权限。我已经解码了错误消息,我得到了一个很大的操作列表,我猜可能需要将这些操作添加到实例IAM角色中。我已经将这两个角色添加到ec2实例中,但是我仍然没有运气
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Resource": "arn:aws:ec2:us-east-2:USER_ID:instance/INSTANCE_ID"
}
]
}
当我解码我的错误消息时,我会得到一个“值”列表,这些值对我来说没有太多意义,但它们是:
"items": [
{
"value": "iam:AttachGroupPolicy"
},
{
"value": "iam:AttachRolePolicy"
},
{
"value": "iam:AttachUserPolicy"
},
{
"value": "iam:ChangePassword"
},
{
"value": "iam:CreateAccessKey"
},
{
"value": "iam:CreateInstanceProfile"
},
{
"value": "iam:CreateLoginProfile"
},
{
"value": "iam:CreateRole"
},
{
"value": "iam:CreateUser"
},
{
"value": "iam:DetachUserPolicy"
},
{
"value": "iam:PutUserPermissionsBoundary"
},
{
"value": "iam:PutUserPolicy"
},
{
"value": "iam:UpdateAccessKey"
},
{
"value": "iam:UpdateAccountPasswordPolicy"
},
{
"value": "iam:UpdateUser"
},
{
"value": "ec2:RequestSpotInstances"
},
{
"value": "ec2:RunInstances"
},
{
"value": "ec2:StartInstances"
},
{
"value": "organizations:CreateAccount"
},
{
"value": "organizations:CreateOrganization"
},
{
"value": "organizations:InviteAccountToOrganization"
},
{
"value": "lambda:CreateFunction"
},
{
"value": "lightsail:Create*"
},
{
"value": "lightsail:Start*"
},
{
"value": "lightsail:Delete*"
},
{
"value": "lightsail:Update*"
},
{
"value": "lightsail:GetInstanceAccessDetails"
},
{
"value": "lightsail:DownloadDefaultKeyPair"
}
]
我只是试图从python脚本中启动和停止一个实例,但我似乎无法理解为什么权限配置不正确。我的启动和停止实例的脚本如下
# code from https://github.com/niftycode/aws-ec2-start-stop/blob/36a795d57802d82709fdd61f406880c6c0c5be52/start_stop_ec2.py#L132
def start_ec2(ids):
try:
ec2.start_instances(InstanceIds=ids, DryRun=True)
except ClientError as e:
if 'DryRunOperation' not in str(e):
raise
# Dry run succeeded, run start_instances without dryrun
try:
response = ec2.start_instances(InstanceIds=ids, DryRun=False)
except ClientError as e:
print(e)
def stop_ec2(ids):
try:
ec2.stop_instances(InstanceIds=ids, DryRun=True)
except ClientError as e:
if 'DryRunOperation' not in str(e):
raise
# Dry run succeeded, call stop_instances without dryrun
try:
response = ec2.stop_instances(InstanceIds=ids, DryRun=False)
except ClientError as e:
print(e)
ids = ["xxxxxxxxxx"]
ec2 = boto3.client('ec2',region_name='us-east-2', aws_access_key_id='xxxxxxx',aws_secret_access_key='xxxxxxxxxxx')
# start the instance
start_ec2(ids)
您的脚本是什么?如何在脚本中使用这些权限?它是某个实例角色吗?我刚刚用脚本更新了原始帖子,我认为我设置和调用start命令的方式没有任何问题,因为我的错误只是在授权方面。你在实例上还有其他错误吗?它们可能正在覆盖您的实例角色。环境变量、.aws/配置?是的,我还有AmazonEC2FullAccess和AmazonSmFullAccess角色。当我第一次遇到错误时,我唯一的角色是AmazonSmFullAccess角色GH链接也有
credentials=read\u credentials()
?这是什么?从哪里读?boto3自行管理Credentail。
# code from https://github.com/niftycode/aws-ec2-start-stop/blob/36a795d57802d82709fdd61f406880c6c0c5be52/start_stop_ec2.py#L132
def start_ec2(ids):
try:
ec2.start_instances(InstanceIds=ids, DryRun=True)
except ClientError as e:
if 'DryRunOperation' not in str(e):
raise
# Dry run succeeded, run start_instances without dryrun
try:
response = ec2.start_instances(InstanceIds=ids, DryRun=False)
except ClientError as e:
print(e)
def stop_ec2(ids):
try:
ec2.stop_instances(InstanceIds=ids, DryRun=True)
except ClientError as e:
if 'DryRunOperation' not in str(e):
raise
# Dry run succeeded, call stop_instances without dryrun
try:
response = ec2.stop_instances(InstanceIds=ids, DryRun=False)
except ClientError as e:
print(e)
ids = ["xxxxxxxxxx"]
ec2 = boto3.client('ec2',region_name='us-east-2', aws_access_key_id='xxxxxxx',aws_secret_access_key='xxxxxxxxxxx')
# start the instance
start_ec2(ids)