ListAssociation 的 AWS Session Manager 异常
AWS Session Manager Exception for ListAssociation
在 AWS 上对会话管理器进行健康检查时遇到以下错误:
amazon-ssm-agent[17614]: 2020-05-19 12:57:35 ERROR [MessagingDeliveryService] [Association] Unable to load instance associations, unable to retrieve associations unable to retrieve associations AccessDeniedException: User: arn:aws:sts::395456465418:assumed-role/SessionManagerInstanceProfile/i-02c8c2ae1dce2ce84 is not authorized to perform: ssm:ListAssociations on resource: arn:aws:ssm:ap-southeast-1:395456465418:*
相信这是由于为实例 IAM 策略授予的权限不足造成的。但是我应该授予什么额外的访问权限才能解决此错误?
以下是从 AWS 文档中复制的当前内联策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::ec2-sessionmanager-logs"
},
{
"Effect": "Allow",
"Action": [
"s3:GetEncryptionConfiguration"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "kms:GenerateDataKey",
"Resource": "*"
}
]
}
错误信息表明:
is not authorized to perform: ssm:ListAssociations
操作:
Grants permission to list the associations for a specified SSM document or managed instance
因此,政策应包含:ssm:ListAssociations。目前,在您在问题中发布的政策中,不允许执行此类操作。
在 AWS 上对会话管理器进行健康检查时遇到以下错误:
amazon-ssm-agent[17614]: 2020-05-19 12:57:35 ERROR [MessagingDeliveryService] [Association] Unable to load instance associations, unable to retrieve associations unable to retrieve associations AccessDeniedException: User: arn:aws:sts::395456465418:assumed-role/SessionManagerInstanceProfile/i-02c8c2ae1dce2ce84 is not authorized to perform: ssm:ListAssociations on resource: arn:aws:ssm:ap-southeast-1:395456465418:*
相信这是由于为实例 IAM 策略授予的权限不足造成的。但是我应该授予什么额外的访问权限才能解决此错误?
以下是从 AWS 文档中复制的当前内联策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::ec2-sessionmanager-logs"
},
{
"Effect": "Allow",
"Action": [
"s3:GetEncryptionConfiguration"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "kms:GenerateDataKey",
"Resource": "*"
}
]
}
错误信息表明:
is not authorized to perform: ssm:ListAssociations
操作:
Grants permission to list the associations for a specified SSM document or managed instance
因此,政策应包含:ssm:ListAssociations。目前,在您在问题中发布的政策中,不允许执行此类操作。