为 IAM 角色添加权限
Adding permission to IAM role
我想为我的实例的 IAM 角色添加权限以允许使用 Cloudwatch 日志服务。查看服务的 Configuration Guide 后,我看到以下段落:
The CloudWatch Logs agent supports IAM roles and users.
If your instance already has an IAM role associated with it, make sure that you include the IAM policy below.
If you don't already have an IAM role assigned to your instance,
you'll need to use your IAM credentials for the next steps because you cannot assign an IAM role to an existing instance;
you can only specify a role when you launch a new instance.
我很难理解这到底是什么意思。当我创建一个新实例时,我使用 CloudWatchLogsFullAccess 策略和配置指南告诉您添加的内联策略创建了一个 IAM 角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
}
]
}
这是针对新实例的,但是上面的段落让我对向现有实例添加权限感到困惑。我可以只将 CloudWatchLogsFullAccess 策略添加到现有实例的角色以及该内联策略吗?
虽然 IAM 角色确实只能在实例启动期间分配给实例,但 AWS 于 2017 年 2 月宣布现在可以将 IAM 角色替换或附加到现有实例。
使用 AWS 控制台:Easily Replace or Attach an IAM Role to an Existing EC2 Instance by Using the EC2 Console
使用 AWS CLI:Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI
我想为我的实例的 IAM 角色添加权限以允许使用 Cloudwatch 日志服务。查看服务的 Configuration Guide 后,我看到以下段落:
The CloudWatch Logs agent supports IAM roles and users.
If your instance already has an IAM role associated with it, make sure that you include the IAM policy below.
If you don't already have an IAM role assigned to your instance,
you'll need to use your IAM credentials for the next steps because you cannot assign an IAM role to an existing instance;
you can only specify a role when you launch a new instance.
我很难理解这到底是什么意思。当我创建一个新实例时,我使用 CloudWatchLogsFullAccess 策略和配置指南告诉您添加的内联策略创建了一个 IAM 角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
}
]
}
这是针对新实例的,但是上面的段落让我对向现有实例添加权限感到困惑。我可以只将 CloudWatchLogsFullAccess 策略添加到现有实例的角色以及该内联策略吗?
虽然 IAM 角色确实只能在实例启动期间分配给实例,但 AWS 于 2017 年 2 月宣布现在可以将 IAM 角色替换或附加到现有实例。
使用 AWS 控制台:Easily Replace or Attach an IAM Role to an Existing EC2 Instance by Using the EC2 Console
使用 AWS CLI:Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI