0

使用由服务器控制的 aws 自动缩放组,预测即将到来的负载并根据需要向上/向下扩展。服务器需要具有最少所需权限的自动缩放 api 权限。

我的问题是限制服务器仅使用在资源字段上定义的特定自动缩放组。到目前为止,我发现的所有策略示例都仅在资源字段中使用“*”,这意味着如果我没记错的话,它应该可以访问所有自动缩放组。

data "aws_iam_policy_document" "default" {
  statement {
    sid    = "S3PolicyStmtNodeAutoscalingApiCalls"
    effect = "Allow"

    actions   = [
      "autoscaling:DescribeAutoScalingGroups",
      "autoscaling:SetDesiredCapacity",
      "autoscaling:TerminateInstanceInAutoScalingGroup"
    ]

    resources = [ var.autoscaling_group_arn ]
  }
}

通过 terraform 实现,这将转换为以下 json 策略(自动缩放组 arn 混淆):

resource "aws_iam_policy" "aws_api_access" {
  arn    = "arn:aws:iam::123456789123:policy/aws-api-access"
  id     = "arn:aws:iam::123456789123:policy/aws-api-access"
  name   = "aws-api-access"
  path   = "/"
  policy = jsonencode({
    Statement = [
      {
        Action   = [
          "autoscaling:TerminateInstanceInAutoScalingGroup",
          "autoscaling:SetDesiredCapacity",
          "autoscaling:DescribeAutoScalingGroups",
        ]
        Effect   = "Allow"
        Resource = "arn:aws:autoscaling:region:acountid:autoScalingGroup:id:autoScalingGroupName/name"
        Sid      = "S3PolicyStmtAutoscalingApiCalls"
      }
    ]
    Version   = "2012-10-17"
  })
}

错误是 AccessDenied:用户:arn:aws:sts::id:assumed-role/role_name/i-instance-id 无权执行:autoscaling:DescribeAutoScalingGroups

到目前为止,我只使用资源属性中的通配符运行它,任何提示都表示赞赏。

4

1 回答 1

0

解决方案在评论中,将自动缩放:DescribeAutoScalingGroups 从其余部分中分离出来,解决了无法在资源字段中指定自动缩放组的问题。

data "aws_iam_policy_document" "default" {
  statement {
    sid    = "S3PolicyStmtNodeAutoscalingApiCalls"
    effect = "Allow"

    actions   = [
      "autoscaling:SetDesiredCapacity",
      "autoscaling:TerminateInstanceInAutoScalingGroup"
    ]

    resources = [ var.autoscaling_group_arn ]
  }

  statement {
    sid    = "S3PolicyStmtNodeAutoscalingDescribe"
    effect = "Allow"

    actions   = [
      "autoscaling:DescribeAutoScalingGroups"
    ]

   resources = [ "*" ]
  }
}
于 2020-04-23T11:30:57.350 回答