使用由服务器控制的 aws 自动缩放组,预测即将到来的负载并根据需要向上/向下扩展。服务器需要具有最少所需权限的自动缩放 api 权限。
我的问题是限制服务器仅使用在资源字段上定义的特定自动缩放组。到目前为止,我发现的所有策略示例都仅在资源字段中使用“*”,这意味着如果我没记错的话,它应该可以访问所有自动缩放组。
data "aws_iam_policy_document" "default" {
statement {
sid = "S3PolicyStmtNodeAutoscalingApiCalls"
effect = "Allow"
actions = [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
]
resources = [ var.autoscaling_group_arn ]
}
}
通过 terraform 实现,这将转换为以下 json 策略(自动缩放组 arn 混淆):
resource "aws_iam_policy" "aws_api_access" {
arn = "arn:aws:iam::123456789123:policy/aws-api-access"
id = "arn:aws:iam::123456789123:policy/aws-api-access"
name = "aws-api-access"
path = "/"
policy = jsonencode({
Statement = [
{
Action = [
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:SetDesiredCapacity",
"autoscaling:DescribeAutoScalingGroups",
]
Effect = "Allow"
Resource = "arn:aws:autoscaling:region:acountid:autoScalingGroup:id:autoScalingGroupName/name"
Sid = "S3PolicyStmtAutoscalingApiCalls"
}
]
Version = "2012-10-17"
})
}
错误是 AccessDenied:用户:arn:aws:sts::id:assumed-role/role_name/i-instance-id 无权执行:autoscaling:DescribeAutoScalingGroups
到目前为止,我只使用资源属性中的通配符运行它,任何提示都表示赞赏。