amazon-ec2 - Boto3 自定义服务员因没有资源权限而被拒绝

Question

我正在尝试创建一个自定义服务员，以便在 rds 数据库集群恢复到某个时间点时恢复 boto3 脚本。 (我正在尝试根据我的需要调整此方法:https://medium.com/@Kentzo/customizing-botocore-waiters-83badbfd6399)除了有关自定义服务员的薄文档外，这似乎应该很简单，但我遇到了权限问题。我运行脚本的 EC2 容器具有运行 rds:DescribeDBClusters 的权限，我可以像这样在脚本中使用权限:

# Check on the cluster
response = rds.describe_db_clusters(
    DBClusterIdentifier=db_cluster_identifier,
)
status = response['DBClusters'][0]['Status']
print(status)
available

但是当我设置一个自定义服务员来监控这个时，我收到以下错误:

botocore.exceptions.WaiterError: Waiter DbClusterRestored failed: User: arn:aws:sts::123456789012:assumed-role/OrgIamRole/i-1234567890abcdef is not authorized to perform: rds:DescribeDBClusters

也许我遗漏了一些明显的东西，但我不明白为什么服务员缺少执行创建服务员的脚本允许执行的操作的权限。

容器权限如下所示:

"OrgIamPolicy": {
  "Type": "AWS::IAM::Policy",
  "Properties": {
    "PolicyName": "OrgIamPolicy",
    "Roles": [
      {
        "Ref": "OrgIamRole"
      }
    ],
    "PolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": [
            "rds:DescribeDBClusters"
          ],
          "Effect": "Allow",
          "Resource": [
            "arn:aws:rds:us-east-1:123456789012:*"
          ]
        }
      ]
    }
  }
}

这是我恢复集群和设置服务员的代码:

import boto3
import botocore
import os
import subprocess


rds = boto3.client('rds')

db_cluster_target_instance = 'orgstagingrdsinstance'
db_instance_identifier = 'backupinstance'
db_instance_class = 'db.t2.medium'
target_db_cluster_identifier = "org-backup-cluster"
source_db_cluster_identifier = "org-staging-rds-cluster"


# Create the cluster
response = rds.restore_db_cluster_to_point_in_time(
  DBClusterIdentifier=target_db_cluster_identifier,
  RestoreType='copy-on-write',
  SourceDBClusterIdentifier=source_db_cluster_identifier,
  UseLatestRestorableTime=True
)


# Check on the cluster
response = rds.describe_db_clusters(
    DBClusterIdentifier=db_cluster_identifier,
)
status = response['DBClusters'][0]['Status']
print(status)


# Create waiter
delay = 10
max_attempts = 30
waiter_name = "DbClusterRestored"

model = botocore.waiter.WaiterModel({
  "version": 2,
  "waiters": {
    "DbClusterRestored": {
      "operation": "DescribeDBClusters",
      "delay": delay,
      "maxAttempts": max_attempts,
      "acceptors": [
        {
          "matcher": "pathAll",
          "expected": "available",
          "state": "success",
          "argument": "DBClusters[].Status"
        },
        {
          "matcher": "pathAll",
          "expected": "deleting",
          "state": "failure",
          "argument": "DBClusters[].Status"
        },
        {
          "matcher": "pathAll",
          "expected": "creating",
          "state": "failure",
          "argument": "DBClusters[].Status"
        },
      ]
    }
  }
})

waiter = botocore.waiter.create_waiter_with_client(waiter_name, model, rds)
waiter.wait() 

显然，我已经删减了这段代码，并且混淆了个人数据。对于可能引入的任何错误，我们深表歉意。

感谢您提供的任何帮助。

Answer 1

好吧，这个问题的答案似乎很简单。问题在于请求的范围。用户有权在以下资源上运行它:

"Resource": [
  "arn:aws:rds:us-east-1:123456789012:*"
]

当我运行时

response = rds.describe_db_clusters(
    DBClusterIdentifier=db_cluster_identifier,
)

我将范围限制在 arn:aws:rds:us-east-1:123456789012:* 中的集群。当我跑的时候

waiter = botocore.waiter.create_waiter_with_client(waiter_name, model, rds)
waiter.wait() 

我没有传递那个约束。我需要运行的是

waiter = botocore.waiter.create_waiter_with_client(waiter_name, model, rds)
waiter.wait(DBClusterIdentifier=db_cluster_identifier) 

这传递了必要的约束并确保权限范围与请求相匹配。

我希望这对处于类似情况的人有所帮助。