我可以在管理控制檯中用iam-role啓動ec2-instance。 但我不知道如何與AWS-紅寶石SDK如何使用iam角色啓動ec2-instance?
iam-role " test"'s Policy is here
"Effect": "Allow",
"Action": "*",
"Resource": "*"
這裏IAM角色推出EC2實例是結果:
/var/lib/gems/1.8/gems/aws-sdk-1.7.1/lib/aws/core/client.rb:318:in `return_or_raise':
You are not authorized to perform iam:PassRole with arn:aws:iam::xxxxxxxxxxx:role/test
(AWS::EC2::Errors::UnauthorizedOperation)
您使用您的Ruby腳本憑證沒有權限使用「測試」IAM角色啓動實例。您需要修改的策略該用戶,並授予它IAM:PassRole權限,例如:
{
"Statement": [{
"Effect":"Allow",
"Action":"ec2:RunInstances",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"arn:aws:iam::xxxxxxxxxxx:role/test"
}]
}
這是一項安全功能 - 這是可能的錯誤配置IAM允許特權升級,因此AWS使用「默認安全「政策。
你也可以使用該策略允許用戶使用任何IAM角色發動實例 - 但在此之前,你應該考慮的安全問題:
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"*"
}]
編號:http://docs.amazonwebservices.com/IAM/latest/UserGuide/role-usecase-ec2app.html