Lambda 无权向系统管理器中的托管实例添加标签
Lambda doesn't have permission to add tags to managed instances in systems manager
我在 AWS 中有一个多账户结构,其中有一个主账户和一个子账户。我正在关注此 guide 以便将标签从子实例传播到主帐户,一旦它们被激活并且我可以在主帐户(系统管理员)中管理实例。
到目前为止,一切正常,主账户中的 lambda 具有所需的所有标签。但是,无法将标签添加到系统管理器中的托管实例。不确定为什么角色仍然无法访问标签,给定权限...
这是我得到的错误:
[ERROR] 2019-03-29T09:14:02.419Z a00a68ba-9904-4199-bcae-cad75f6f5232 An error occurred (ValidationException) when calling the AddTagsToResource operation: Caller is an end user and not allowed to mutate system tags instanceId: mi-0d3bfce27d073c0f2
这是具有附加角色的 lambda 函数:
AWSTemplateFormatVersion: '2010-09-09'
Description: Management function that copies tags
Resources:
rSSMTagManagerRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: Automation-SSMTagManagerRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "lambda.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/aws/"
Policies:
- PolicyName: "CopyInstanceTagsToSSMPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- ssm:AddTagsToResource
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- tag:*
Resource: "*"
fnSSMTagManager:
Type: AWS::Lambda::Function
Properties:
FunctionName: Automation-SSM-Tag-Manager
Handler: index.lambda_handler
Role: !GetAtt [rSSMTagManagerRole, Arn]
Description: >
Copies tags from the list of instances in the event
context to the specified managed instances.
Code:
ZipFile: |+
import boto3
import json
import logging
#setup simple logging for INFO
logger = logging.getLogger()
logger.setLevel( logging.WARN )
client = boto3.client( 'ssm' )
def lambda_handler( event, context ):
"""Copies tags from the list of instances in the event
context to the specified managed instances.
"""
for instance in event[ "instances" ]:
addTags( instance[ "instanceId" ], instance[ "tags" ] )
def addTags( resourceid, tags ):
logger.info( "Configuring " + resourceid + " with " + str(tags) )
try:
response = client.add_tags_to_resource(
ResourceType='ManagedInstance',
ResourceId=resourceid,
Tags=tags
)
logger.info( response )
return response
except Exception as e:
errorMessage = str(e) + "instanceId: " + resourceid
logger.error( errorMessage )
return errorMessage
Runtime: python3.6
Timeout: '90'
使用相同的指南。面临完全相同的错误。事实证明,代理帐户中的实例有太多(10 多个)标签,导致标签管理器出现此错误。修改了标签收集器 lambda 函数以仅传播特定标签而不是所有标签。这清除了错误。
我在 AWS 中有一个多账户结构,其中有一个主账户和一个子账户。我正在关注此 guide 以便将标签从子实例传播到主帐户,一旦它们被激活并且我可以在主帐户(系统管理员)中管理实例。
到目前为止,一切正常,主账户中的 lambda 具有所需的所有标签。但是,无法将标签添加到系统管理器中的托管实例。不确定为什么角色仍然无法访问标签,给定权限...
这是我得到的错误:
[ERROR] 2019-03-29T09:14:02.419Z a00a68ba-9904-4199-bcae-cad75f6f5232 An error occurred (ValidationException) when calling the AddTagsToResource operation: Caller is an end user and not allowed to mutate system tags instanceId: mi-0d3bfce27d073c0f2
这是具有附加角色的 lambda 函数:
AWSTemplateFormatVersion: '2010-09-09'
Description: Management function that copies tags
Resources:
rSSMTagManagerRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: Automation-SSMTagManagerRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "lambda.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/aws/"
Policies:
- PolicyName: "CopyInstanceTagsToSSMPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- ssm:AddTagsToResource
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- tag:*
Resource: "*"
fnSSMTagManager:
Type: AWS::Lambda::Function
Properties:
FunctionName: Automation-SSM-Tag-Manager
Handler: index.lambda_handler
Role: !GetAtt [rSSMTagManagerRole, Arn]
Description: >
Copies tags from the list of instances in the event
context to the specified managed instances.
Code:
ZipFile: |+
import boto3
import json
import logging
#setup simple logging for INFO
logger = logging.getLogger()
logger.setLevel( logging.WARN )
client = boto3.client( 'ssm' )
def lambda_handler( event, context ):
"""Copies tags from the list of instances in the event
context to the specified managed instances.
"""
for instance in event[ "instances" ]:
addTags( instance[ "instanceId" ], instance[ "tags" ] )
def addTags( resourceid, tags ):
logger.info( "Configuring " + resourceid + " with " + str(tags) )
try:
response = client.add_tags_to_resource(
ResourceType='ManagedInstance',
ResourceId=resourceid,
Tags=tags
)
logger.info( response )
return response
except Exception as e:
errorMessage = str(e) + "instanceId: " + resourceid
logger.error( errorMessage )
return errorMessage
Runtime: python3.6
Timeout: '90'
使用相同的指南。面临完全相同的错误。事实证明,代理帐户中的实例有太多(10 多个)标签,导致标签管理器出现此错误。修改了标签收集器 lambda 函数以仅传播特定标签而不是所有标签。这清除了错误。