【发布时间】:2020-09-05 02:05:38
【问题描述】:
在 AWS 上对会话管理器进行健康检查时遇到以下错误:
amazon-ssm-agent[17614]: 2020-05-19 12:57:35 ERROR [MessagingDeliveryService] [Association] Unable to load instance associations, unable to retrieve associations unable to retrieve associations AccessDeniedException: User: arn:aws:sts::395456465418:assumed-role/SessionManagerInstanceProfile/i-02c8c2ae1dce2ce84 is not authorized to perform: ssm:ListAssociations on resource: arn:aws:ssm:ap-southeast-1:395456465418:*
相信这是由于为实例 IAM 策略授予的权限不足造成的。但是为了解决这个错误,我应该授予什么额外的访问权限?
以下是从 AWS 文档复制的当前内联策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::ec2-sessionmanager-logs"
},
{
"Effect": "Allow",
"Action": [
"s3:GetEncryptionConfiguration"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "kms:GenerateDataKey",
"Resource": "*"
}
]
}
【问题讨论】:
标签: amazon-web-services amazon-ec2 aws-session-manager