个人中心
文章发布
退出
作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
24
4
我尝试使用 AWSUtility::CloudFormation::CommandRunner 运行 CloudFormation,但失败了
"You do not have permissions to make the TerminateInstances API call"
有解决办法吗?有人在这个组件上取得过成功吗?
我的CF:
IopsCalculator:
Type: AWSUtility::CloudFormation::CommandRunner
Properties:
Command:
Fn::Sub: 'expr 100 \* 20 > /command-output.txt'
我在以下位置找到了该组件:
并按照列出的步骤进行操作:
git clone https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-awsutilities-commandrunner.git
cd aws-cloudformation-resource-providers-awsutilities-commandrunner
curl -LO https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-awsutilities-commandrunner/releases/latest/download/awsutility-cloudformation-commandrunner.zip
./scripts/register.sh --set-default
我的安装结果似乎成功了:
Creating Execution Role...
Waiting for execution role stack to complete...
Waiting for execution role stack to complete...
Creating Execution Role complete.
Creating temporary S3 Bucket 0e5f0a98e79a4f6485ae30924a6b287e...
Creating temporary S3 Bucket 0e5f0a98e79a4f6485ae30924a6b287e complete.
Configuring S3 Bucket Policy for temporary S3 Bucket 0e5f0a98e79a4f6485ae30924a6b287e...
Configuring S3 Bucket Policy for temporary S3 Bucket 0e5f0a98e79a4f6485ae30924a6b287e complete.
Copying Schema Handler Package to temporary S3 Bucket 0e5f0a98e79a4f6485ae30924a6b287e...
Copying Schema Handler Package to temporary S3 Bucket 0e5f0a98e79a4f6485ae30924a6b287e complete.
Registering AWSUtility::CloudFormation::CommandRunner to AWS CloudFormation...
RegistrationToken: 13e7ec35-ea97-42d4-b0e4-b83f3f3d4da2
Waiting for registration to complete...
Waiting for registration to complete...
Waiting for registration to complete...
Waiting for registration to complete...
Waiting for registration to complete...
Registering AWSUtility::CloudFormation::CommandRunner to AWS CloudFormation complete.
Setting current version as default...
Setting current version as default complete. (Current Version is 00000007)
Cleaning up temporary S3 Bucket...
Deleting SchemaHandlerPackage from temporary S3 Bucket 0e5f0a98e79a4f6485ae30924a6b287e...
Deleting SchemaHandlerPackage from temporary S3 Bucket 0e5f0a98e79a4f6485ae30924a6b287e complete.
Cleaning up temporary S3 Bucket complete.
AWSUtility::CloudFormation::CommandRunner is ready to use.
最佳答案
第一个问题是 https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-awsutilities-commandrunner.git 处的代码不起作用...存储库已被放弃。
如果您提取正确的分支(也在该 shell 脚本中),则随附 shell 中列出的 maslick 存储库确实可以工作。如果你拉出正确的分支。您还需要正确的角色,也在这篇文章中。
使用 cloudshell 安装 commandrunner 的 Shell 脚本:
############################################################################
# This script Configures Cloudshell and Builds and Deploys CommandRunner
# This script should work on a Linux Box
# Cloudshell resets when you change Roles
# Cloudshell invokes AWS Client using the current Portal Role.
# You must be in the correct Role before attempting to deploy.
# Use the IAMManagement role depoyed by IAMManagement.yaml
# if you do not specify a Subnet you must have a Default VPC
# The subnet must be in an AZ that can support t3.micro
#############################################################################
#install java
sudo yum install java-1.8.0-openjdk-devel.x86_64 -y
java -version
#Following are the set of commands need to be executed sequentially to install maven.
sudo wget http://repos.fedorapeople.org/repos/dchen/apache-maven/epel-apache-maven.repo -O /etc/yum.repos.d/epel-apache-maven.repo
sudo sed -i s/\$releasever/6/g /etc/yum.repos.d/epel-apache-maven.repo
sudo yum install -y apache-maven
mvn –v
#Install Git
# --> GIT is already present in cloudshell
#sudo yum install git
#git version
# Install Python(LINUX box)
# https://tecadmin.net/install-python-3-8-amazon-linux/#:~:text=Installing%20Python%20on%20Amazon%20Linux%201%20Step%201,Environment%20on%20Ubuntu%2018.04%20%26%2016.04.%20See%20More.
cd /
sudo yum install gcc openssl-devel bzip2-devel libffi-devel zlib-devel -y
cd /opt
sudo wget https://www.python.org/ftp/python/3.8.12/Python-3.8.12.tgz
sudo tar xzf Python-3.8.12.tgz
cd Python-3.8.12
sudo ./configure --enable-optimizations
sudo make altinstall
sudo rm -f /opt/Python-3.8.12.tgz
python3.8 --version
python3 --version #(should be 3.8)
# Make Python3.8 default
# https://tech.serhatteker.com/post/2019-12/upgrade-python38-on-ubuntu/
whereis python3.8.12
sudo update-alternatives --install /usr/bin/python3 python3 /usr/local/bin/python3.8 1
sudo update-alternatives --set python3 /usr/local/bin/python3.8
python3 --version #(should be 3.8)
#Install cfn
pip3 install cloudformation-cli cloudformation-cli-java-plugin cloudformation-cli-go-plugin cloudformation-cli-python-plugin cloudformation-cli-typescript-plugin
#Install AWS CLI 2
# --> AWS CLI is already present in cloudshell
#curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
#unzip awscliv2.zip
#sudo yum install awscli -y
#aws --version
# AWAS CLI is already using current role in cloudshell
#aws configure
#get the source
#maslick has the working version.
#the git referred to in AWS docs is unmaintained and does not work.
cd ~
git clone https://github.com/maslick/aws-cloudformation-resource-providers-awsutilities-commandrunner.git
cd ~/aws-cloudformation-resource-providers-awsutilities-commandrunner
git checkout fix-null-sg
#build it
alias python="/usr/bin/Python-3.8.12/python"
clear
cd ~/aws-cloudformation-resource-providers-awsutilities-commandrunner
./scripts/build.sh
还包括用于充当在其下运行 CloudShell 的假定角色的 YAML(我从另一个项目中提取了它,如果您需要管理员安装,会很方便)
AWSTemplateFormatVersion: "2010-09-09"
Metadata:
Generator: "former2"
Description: "Provides permissions for managing Roles and Policies. Reqired by IAMTouchworks.yaml. Disable these roles by re-deploying and setting allowIAMAssumption=No"
Parameters:
environment:
Description: "Environment Name"
Type: String
Default: "Sandbox-1"
environmentShort:
Description: "Environment Name (Short)"
Type: String
Default: "S1"
allowIAMAssumption:
Description: "Allow IAM Assumption Policy"
Type: String
Default: "No"
AllowedValues:
- "No"
- "YES"
ConstraintDescription: "Yes or No"
Conditions:
IAMAssumptionCondition: !Equals
- !Ref allowIAMAssumption
- "YES"
Resources:
IAMManagementPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: IAMManagement
Path: "/"
PolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:*",
"cloudshell:*",
"s3:*",
"sns:*",
"kms:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"sts:GetCallerIdentity",
"access-analyzer:ListPolicyGenerations"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:List*",
"iam:Get*",
"iam:Update*",
"iam:Delete*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteRolePolicy",
"iam:ListPolicies",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:CreateAccessKey",
"iam:UpdateAccessKey",
"iam:TagUser",
"iam:PutUserPolicy",
"iam:ListEntitiesForPolicy",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:ListAttachedUserPolicies",
"iam:ListSigningCertificates",
"iam:ListSSHPublicKeys",
"iam:ListServiceSpecificCredentials",
"iam:DeleteUserPolicy",
"iam:GenerateServiceLastAccessedDetails"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:AddUserToGroup",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:CreateGroup",
"iam:CreateRole",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateUser",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:DetachUserPolicy",
"iam:DeleteGroup",
"iam:DeleteGroupPolicy",
"iam:DeleteUser",
"iam:GetGroup",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:GetUser",
"iam:DeletePolicy",
"iam:GetPolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:ListPolicyVersions",
"iam:ListGroups",
"iam:ListUsers",
"iam:DeletePolicyVersion",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:PutGroupPolicy",
"iam:RemoveUserFromGroup",
"iam:TagRole"
],
"Resource": "*"
}]
}
IAMManagementRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
RoleName: "IAMManagement"
AssumeRolePolicyDocument:
Fn::If:
- IAMAssumptionCondition
- Fn::Sub: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::${AWS::AccountId}:role/CSS-Customer-Admin"]
},
"Action": "sts:AssumeRole"
}
]
}
- Fn::Sub: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": [
"*"
]
},
"Action": "sts:AssumeRole"
}
]
}
MaxSessionDuration: 3600
ManagedPolicyArns:
- !Ref IAMManagementPolicy
Tags:
- Key: "Environment"
Value:
Ref: environment
- Key: "Environment-Short"
Value:
Ref: environmentShort
- Key: "Purpose"
Value: "Role"
- Key: "Application"
Value: "Infrastructure"
- Key: "Description"
Value: "Allows IAM Role-Policy Management"
一个重要但简单的测试 CF,用于验证 commandRunner 是否可以使用 AWS CLI。
#!!! THE RELEASE DOES NOT WORK !!!!
#To actually get this to work, you have to follow these instructions to build the tool yourself.
#https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-awsutilities-commandrunner/issues/24
#https://github.com/maslick/aws-cloudformation-resource-providers-awsutilities-commandrunner/tree/fix-null-sg
#CommandRunner Documentation
#https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-commandrunner-stack/
#https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-awsutilities-commandrunner#prerequisites
# This script Assumes Default VPC Exists
AWSTemplateFormatVersion: 2010-09-09
Description: AWS CLI version
Resources:
LogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub "/command-runner/${AWS::StackName}/"
RetentionInDays: 14
Role:
Type: AWS::IAM::Role
Properties:
Description: "Role assumed by Command Runnner"
MaxSessionDuration: 14400
Path: "/"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
- arn:aws:iam::aws:policy/AmazonS3FullAccess
InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref Role
CommandRunner:
Type: AWSUtility::CloudFormation::CommandRunner
Properties:
LogGroup: !Ref LogGroup
Role: !Ref InstanceProfile
#SubnetId: YOUR_SUBNET_ID
Command: |
aws s3 ls | sed -n 1p | cut -d " " -f3 \
> /command-output.txt
# aws --version 2>&1 \
# | tail -1 \
# | head -n 1 \
# > /command-output.txt
# aws s3 ls | sed -n 1p | cut -d " " -f3 > /command-output.txt
Outputs:
CommandRunnerOutput:
Description: CommandRunnerOutput
Value: !GetAtt CommandRunner.Output
关于aws-cloudformation - AWSUtility::CloudFormation::CommandRunner 失败并显示 "You do not have permissions to make the TerminateInstances API call",我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/70177522/
24
4
0
我尝试使用 AWSUtility::CloudFormation::CommandRunner 运行 CloudFormation,但失败了 "You do not have permissions
我是一名优秀的程序员,十分优秀!