我创建了一个政策,限制用户的访问权限,以一个实例:
I have created a policy for restricting access of a user to a single instance as:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1392113879000",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"arn:aws:ec2:us-east-1:account:instance/instance_id"
]
}
]
}
不过,我收到此错误:
But I am getting this error:
You are not authorized to describe Running Instances
You are not authorized to describe Elastic IPs
You are not authorized to describe Volumes
You are not authorized to describe Snapshots
You are not authorized to describe Key Pairs
You are not authorized to describe Load Balancers
You are not authorized to describe Placement Groups
You are not authorized to describe Security Groups
我不能在控制台中看到的实例。如果我不能落实这件事情又是什么用的政策!!
I cant see the instance in the console. If i cant implement this thing then what is the use of policies!!
林卡住,请帮忙
推荐答案
从的 IAM-政策换亚马逊EC2
目前,并非所有的API操作支持个人ARNS;我们将添加 额外的API操作和ARNS额外的Amazon EC2支持 资源后。有关哪些ARNS你可以使用 其中亚马逊EC2 API操作,以及支持条件键 每个ARN,请参阅支持的资源和条件,亚马逊EC2 API 动作。
Currently, not all API actions support individual ARNs; we'll add support for additional API actions and ARNs for additional Amazon EC2 resources later. For information about which ARNs you can use with which Amazon EC2 API actions, as well as supported condition keys for each ARN, see Supported Resources and Conditions for Amazon EC2 API Actions.
所以,wiritng EC2:* 是不会帮你的。相反,你应该提供您希望授予该用户的确切的API操作。
So, wiritng ec2:* is not going to help you. Instead, you should provide exact API actions that you wish to grant to this user.
此外,从相同的链接引用以上提及:
Also, quoting from the same link referred above:
要指定所有资源,或者一个特定的API操作不支持ARNS,使用*通配符在资源要素如下:
To specify all resources, or if a specific API action does not support ARNs, use the * wildcard in the Resource element as follows:
指定限制性EC2的IAM策略是有点复杂。你可能想仔细阅读上面提到的链接,以及这链接。
Assigning restrictive EC2 IAM polices is a bit complicated. You may want to read above referred link in detail as well as this link.
相关推荐
最新文章