AWS EC2：ec2:RequestSpotInstances 的 IAM 策略

Question

我需要创建允许用户创建现场请求的策略，但仅限于特定的子网和安全组。这就是我所做的：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:RequestSpotInstances",
            "Resource": [
                "arn:aws:ec2:us-east-1:123456789012:image/ami-*",
                "arn:aws:ec2:us-east-1:123456789012:subnet/subnet-af016c92",
                "arn:aws:ec2:us-east-1:123456789012:subnet/subnet-12a34d3c",
                "arn:aws:ec2:us-east-1:123456789012:subnet/subnet-f0e844cd",
                "arn:aws:ec2:us-east-1:123456789012:subnet/subnet-026ae728",
                "arn:aws:ec2:us-east-1:123456789012:key-pair/*",
                "arn:aws:ec2:us-east-1:123456789012:security-group/sg-b5dd94cd",
                "arn:aws:ec2:us-east-1:123456789012:security-group/sg-3bda8c42"
            ]
        }
    ]
}

但我的现场请求创建仍然失败：

botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the RequestSpotInstances operation: You are not authorized to perform this operation.

RequestSpotInstances 操作的最小权限子集是什么？

有没有可能调试这个？

Answer 1

我知道这是一个老问题，但我刚刚在我的环境中遇到了同样的问题。我的解决方案是为“PassRole”添加 IAM 权限

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1479335761363",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:RequestSpotInstances",
        "ec2:RunInstances",
        "iam:PassRole"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }]

}

Answer 2

根据 EC2 文档 (here)，ec2:RequestSpotInstances 是属于“不受支持的资源级权限”类别的操作。不幸的是，您必须将资源标签设置为所有资源，如下所示：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:RequestSpotInstances",
            "Resource": [ "*" ]
        }
    ]
}

就调试而言，不要忘记 IAM 策略模拟器，它可以从 AWS 控制台 => IAM => 用户页面访问。