gpt4 book ai didi

amazon-web-services - AWS 管理员没有 EC2 描述操作

转载 作者:行者123 更新时间:2023-12-03 07:23:24 26 4
gpt4 key购买 nike

我拥有 AdministratorAccess 的 IAM 角色,但是当我将自定义模板上传到 AWS CloudFormation 时,我收到以下错误:

Operation failed, ComputeEnvironment went INVALID with error:CLIENT_ERROR - You are not authorized to call EC2 Describe operations.It is required to perform CreateLaunchConfiguration operation.

所有其他资源似乎都已成功完成,因此我不确定是否发生了某种角色委托(delegate)?

最佳答案

您可能受到 Service Control Policies 的影响(SCP)或通过Permission Boundaries甚至其他 policy types .

关于 SCP:

An SCP restricts permissions for IAM users and roles in memberaccounts, including the member account's root user. Any account hasonly those permissions permitted by every parent above it. If apermission is blocked at any level above the account, eitherimplicitly (by not being included in an Allow policy statement) orexplicitly (by being included in a Deny policy statement), a user orrole in the affected account can't use that permission, even if theaccount administrator attaches the AdministratorAccess IAM policy with/ permissions to the user.

另请参阅How to use service control policies to set permission guardrails across accounts in your AWS Organization

this article州,

The member accounts of an AWS Organization are unable to see the SCPsthat have been applied to them. Further, when actions are denied,there is no way to know whether that is due to an IAM policy, an SCP,or something else (ex. session policy, IAM boundary, resource policy).This means there will be no indication in the error message from anAPI call or in the CloudTrail log to show what denied the call. Thiscan make debugging issues difficult.

This article有一些有用的图表,显示了可能影响/限制访问的不同因素。

关于amazon-web-services - AWS 管理员没有 EC2 描述操作,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/68213696/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com