使用 AWS CLI 自动部署 EC2 Image Builder 配方:“您无权使用提供的映像。”

问题描述 投票:0回答:1

我有一个脚本可以创建这个 JSON EC2 Image Builder 配方:

{
    "name": "MyRecipe",
    "description": "Create image recipe.",
    "semanticVersion": "1.1.0",
    "components": [
        {
            "componentArn": "arn:aws:imagebuilder:us-east-1:MyAccountID:component/MyComponent"
        }
    ],
    "parentImage": "ami-05d47d29a4c2d19e1"
}

然后运行此命令来部署它:

aws imagebuilder create-image-recipe --cli-input-json file:///tmp/tmpuvshobis/create-recipe.json


parentImage
应该指向 Ubuntu 22.04 LTS arm64 AMI。

使用管理员帐户成功

使用具有这些权限策略的帐户部署成功

AmazonEC2FullAccess
AmazonS3FullAccess
AWSImageBuilderFullAcces

角色失败

但是当使用权限有限的角色时会失败:

标准错误:

An error occurred (InvalidParameterValueException) when calling the CreateImageRecipe operation: The value supplied for parameter 'parentImage' is not valid. You are not authorized to use the provided image.

该角色具有以下权限:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecr:UntagResource",
                "ecr:CompleteLayerUpload",
                "ecr:TagResource",
                "ec2:ModifyLaunchTemplate",
                "ecr:UploadLayerPart",
                "ecr:InitiateLayerUpload",
                "ec2:CreateLaunchTemplateVersion",
                "ecr:PutImage",
                "sts:AssumeRoleWithWebIdentity",
                "imagebuilder:CreateComponent",
                "imagebuilder:UpdateImagePipeline",
                "imagebuilder:CreateImageRecipe",
                "imagebuilder:StartImagePipelineExecution",
                "imagebuilder:CreateImagePipeline",
                "imagebuilder:TagResource",
                "imagebuilder:UntagResource",
                "imagebuilder:GetComponent",
                "ec2:DescribeImages",
                "ec2:DescribeImageAttribute",
                "imagebuilder:ListImages",
                "imagebuilder:GetImage"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:MyAccountID:launch-template/lt-MyLaunchTemplate",
                "arn:aws:ecr:us-east-1:MyAccountID:repository/MyRepo",
                "arn:aws:imagebuilder:us-east-1:MyAccountID:image/*",
                "arn:aws:imagebuilder:us-east-1:MyAccountID:image-recipe/*/*",
                "arn:aws:imagebuilder:us-east-1:MyAccountID:image-pipeline/*",
                "arn:aws:imagebuilder:us-east-1:MyAccountID:component/*/*/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ecr:GetAuthorizationToken",
            "Resource": "*"
        }
    ]
}

角色缺少哪些权限?从错误信息来看并不清楚。

amazon-web-services permissions amazon-imagebuilder
1个回答
0
投票

您正在为 ami 添加 ec2 操作,但随后将它们限制为仅包含 ec2 启动模板的资源。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.