amazon-web-services - 启用 InstanceMetadataTags 时权限不足 `run-instance`

Question

我遇到一个问题，我无法理解它为什么会这样工作。

我有一个 CloudFormation 模板，它提供以下访问权限:

- Effect: Allow
  Action:
    - ec2:RunInstances
    - ec2:ModifyInstanceAttribute
  Resource:
    - 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':instance/*']]
    - 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':key-pair/*']]
    - 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':security-group/', Ref: DBSecurityGroup ]]
    - 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':volume/*']]
    - 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':network-interface/**']]
    - 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':subnet/', Ref: Subnet ]]
    - 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':placement-group/*']]
    - 'Fn::Join': [ '', [ 'arn:aws:ec2:',Ref: 'AWS::Region', '::image/ami-**']]

到机器。

机器可以使用此角色调用run-instances，一切正常。

如果我启用元数据标签，如下所示:

  InstanceEnableTagsMetadata:
    Type: 'AWS::EC2::LaunchTemplate'
    Properties:
      LaunchTemplateData:
        MetadataOptions:
          InstanceMetadataTags: enabled

run-instance 调用因权限不足而停止工作。

错误消息如下所示:

API: ec2:RunInstances You are not authorized to perform this operation. Encoded authorization failure message: OTMSE3dUu3XO...

可能是什么问题？

Answer 1

当我解码编码消息时，我得到以下内容:

$ aws sts decode-authorization-message --encoded-message Uz9... \
| jq -r .DecodedMessage | jq .
# [here comes a big JSON with details]

我们在解码中看到，失败的操作是launch-template:

        {
          "key": "aws:Resource",
          "values": {
            "items": [
              {
                "value": "launch-template/lt-"
              }
            ]
          }
        },

这意味着，launch-template 应添加到允许的操作列表中。

(感谢@ZabielskiGabriel 的提示)