我可以在管理控制台中使用 iam-role 启动 ec2-instance。但我不知道如何从 aws-ruby-sdk 使用 iam-role 启动 ec2-instance
iam-role " test"'s Policy is here
"Effect": "Allow",
"Action": "*",
"Resource": "*"
结果如下:
/var/lib/gems/1.8/gems/aws-sdk-1.7.1/lib/aws/core/client.rb:318:in `return_or_raise':
You are not authorized to perform iam:PassRole with arn:aws:iam::xxxxxxxxxxx:role/test
(AWS::EC2::Errors::UnauthorizedOperation)
The credentials you are using from your Ruby script do not have permission to launch an instance using the 'test' IAM Role. You need to modify the policy for this user, and grant it the IAM:PassRole permission, e.g.:
{
"Statement": [{
"Effect":"Allow",
"Action":"ec2:RunInstances",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"arn:aws:iam::xxxxxxxxxxx:role/test"
}]
}
This is a security feature - it is possible to misconfigure IAM to allow privilege escalations, so AWS uses a "secure by default" policy.
You could also use this policy to allow your users to launch instances using any IAM role - but you should consider the security implications before doing this:
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"*"
}]
Ref: http://docs.amazonwebservices.com/IAM/latest/UserGuide/role-usecase-ec2app.html