运行ning aws ec2 运行-instances 时指定 ec2 实例的卷类型
Specifying a volume type for an ec2 instance when running aws ec2 run-instances
我想在启动实例时将 GP3 指定为根 EBS 卷的卷类型。这是我运行
的命令
aws ec2 run-instances \
--region us-east-2 \
--image-id ami-0e361731ae5aacece \
--instance-type c4.large \
--key-name my-key \
--block-device-mappings file://block-device-mappings.json \
--placement file://placement.json \
--monitoring file://monitoring.json \
--disable-api-termination \
--monitoring file://monitoring.json \
--instance-initiated-shutdown-behavior terminate \
--network-interfaces file://network-interfaces.json \
--iam-instance-profile file://iam-instance-profile.json \
--ebs-optimized \
--tag-specifications file://tag-specifications.json
下面是我block-device-mappings.json
的内容
[
{
"DeviceName": "/dev/sda1",
"Ebs": {
"VolumeSize": 50,
"DeleteOnTermination": false,
"VolumeType": "gp3"
}
}
]
创建上述JSON
时使用了此documentation
但是当我运行上面的命令时,它失败了,因为我使用的公司账户不允许创建具有 GP2 卷类型的 EC2 实例。为什么 GP3 没有被用作卷类型,尽管它是明确指定的?
编辑 1:
这是我解码编码失败消息后得到的错误消息(请注意,我已经从 PrincipalArn 对象中删除了一些项目,并在必要的帐户 ID 等处添加了虚拟值)
{
"allowed": false,
"explicitDeny": true,
"matchedStatements": {
"items": [
{
"statementId": "RestrictEC2Volume",
"effect": "DENY",
"principals": {
"items": [
{
"value": "MY_ROLE_ACCESS_KEY"
}
]
},
"principalGroups": {
"items": []
},
"actions": {
"items": [
{
"value": "ec2:RunInstances"
},
{
"value": "ec2:CreateVolume"
}
]
},
"resources": {
"items": [
{
"value": "arn:aws:ec2:*:*:volume/*"
}
]
},
"conditions": {
"items": [
{
"key": "ec2:VolumeType",
"values": {
"items": [
{
"value": "gp2"
}
]
}
},
{
"key": "aws:PrincipalArn",
"values": {
"items": [
{
"value": "arn:aws:sts::12345678:assumed-role/EMR_DefaultRole/CCSSession"
},
{
"value": "arn:aws:sts::4567890:assumed-role/EMR_DefaultRole/CCSSession"
},
{
"value": "arn:aws:iam::3456789:role/EMR_DefaultRole"
},
{
"value": "arn:aws:iam::4567890:role/EMR_DefaultRole"
},
{
"value": "arn:aws:sts::567890876:assumed-role/EMR_DefaultRole/CCSSession"
},
{
"value": "arn:aws:iam::567890876:role/EMR_DefaultRole"
},
{
"value": "arn:aws:iam::234567854:role/EMR_DefaultRole"
},
{
"value": "arn:aws:sts::234567854:assumed-role/EMR_DefaultRole/CCSSession"
},
]
}
}
]
}
}
]
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "MY_ROLE_ACCESS_KEY:INSTANCE_ID",
"arn": "arn:aws:sts::ACCT_ID:assumed-role/AWS-SSM-AgentAccess/MY_ROLE_ACCESS_KEY:INSTANCE_ID"
},
"action": "ec2:RunInstances",
"resource": "arn:aws:ec2:us-east-2:ACCT_ID:volume/*",
"conditions": {
"items": [
{
"key": "aws:Resource",
"values": {
"items": [
{
"value": "volume/*"
}
]
}
},
{
"key": "aws:Account",
"values": {
"items": [
{
"value": "ACCT_ID"
}
]
}
},
{
"key": "ec2:AvailabilityZone",
"values": {
"items": [
{
"value": "us-east-2b"
}
]
}
},
{
"key": "ec2:Encrypted",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "ec2:VolumeType",
"values": {
"items": [
{
"value": "gp2"
}
]
}
},
{
"key": "ec2:IsLaunchTemplateResource",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "aws:Region",
"values": {
"items": [
{
"value": "us-east-2"
}
]
}
},
{
"key": "aws:Service",
"values": {
"items": [
{
"value": "ec2"
}
]
}
},
{
"key": "ec2:VolumeID",
"values": {
"items": [
{
"value": "*"
}
]
}
},
{
"key": "ec2:VolumeSize",
"values": {
"items": [
{
"value": "10"
}
]
}
},
{
"key": "ec2:ParentSnapshot",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-2::snapshot/SNAPSHOT_ID"
}
]
}
},
{
"key": "aws:Type",
"values": {
"items": [
{
"value": "volume"
}
]
}
},
{
"key": "ec2:Region",
"values": {
"items": [
{
"value": "us-east-2"
}
]
}
},
{
"key": "aws:ARN",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-2:ACCT_ID:volume/*"
}
]
}
}
]
}
}
}
基本上,如果我正确理解此消息,我可以看到它正在尝试创建 GP2 类型的 10GB 卷,尽管我指定了 GP3 类型的 50GB 卷
根据您的 AMI,root drive name varies。您正在使用 /dev/sda1,但是例如,在亚马逊 linux 2 上它应该是 /dev/xvda:
[
{
"DeviceName": "/dev/xvda",
"Ebs": {
"VolumeSize": 50,
"DeleteOnTermination": false,
"VolumeType": "gp3"
}
}
]
如果您使用 sda1,您的根仍然是 gp2,因为您只是在 xvda.
旁边创建了名为 sda1 的新的独立驱动器
我想在启动实例时将 GP3 指定为根 EBS 卷的卷类型。这是我运行
的命令aws ec2 run-instances \
--region us-east-2 \
--image-id ami-0e361731ae5aacece \
--instance-type c4.large \
--key-name my-key \
--block-device-mappings file://block-device-mappings.json \
--placement file://placement.json \
--monitoring file://monitoring.json \
--disable-api-termination \
--monitoring file://monitoring.json \
--instance-initiated-shutdown-behavior terminate \
--network-interfaces file://network-interfaces.json \
--iam-instance-profile file://iam-instance-profile.json \
--ebs-optimized \
--tag-specifications file://tag-specifications.json
下面是我block-device-mappings.json
[
{
"DeviceName": "/dev/sda1",
"Ebs": {
"VolumeSize": 50,
"DeleteOnTermination": false,
"VolumeType": "gp3"
}
}
]
创建上述JSON
时使用了此documentation但是当我运行上面的命令时,它失败了,因为我使用的公司账户不允许创建具有 GP2 卷类型的 EC2 实例。为什么 GP3 没有被用作卷类型,尽管它是明确指定的?
编辑 1:
这是我解码编码失败消息后得到的错误消息(请注意,我已经从 PrincipalArn 对象中删除了一些项目,并在必要的帐户 ID 等处添加了虚拟值)
{
"allowed": false,
"explicitDeny": true,
"matchedStatements": {
"items": [
{
"statementId": "RestrictEC2Volume",
"effect": "DENY",
"principals": {
"items": [
{
"value": "MY_ROLE_ACCESS_KEY"
}
]
},
"principalGroups": {
"items": []
},
"actions": {
"items": [
{
"value": "ec2:RunInstances"
},
{
"value": "ec2:CreateVolume"
}
]
},
"resources": {
"items": [
{
"value": "arn:aws:ec2:*:*:volume/*"
}
]
},
"conditions": {
"items": [
{
"key": "ec2:VolumeType",
"values": {
"items": [
{
"value": "gp2"
}
]
}
},
{
"key": "aws:PrincipalArn",
"values": {
"items": [
{
"value": "arn:aws:sts::12345678:assumed-role/EMR_DefaultRole/CCSSession"
},
{
"value": "arn:aws:sts::4567890:assumed-role/EMR_DefaultRole/CCSSession"
},
{
"value": "arn:aws:iam::3456789:role/EMR_DefaultRole"
},
{
"value": "arn:aws:iam::4567890:role/EMR_DefaultRole"
},
{
"value": "arn:aws:sts::567890876:assumed-role/EMR_DefaultRole/CCSSession"
},
{
"value": "arn:aws:iam::567890876:role/EMR_DefaultRole"
},
{
"value": "arn:aws:iam::234567854:role/EMR_DefaultRole"
},
{
"value": "arn:aws:sts::234567854:assumed-role/EMR_DefaultRole/CCSSession"
},
]
}
}
]
}
}
]
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "MY_ROLE_ACCESS_KEY:INSTANCE_ID",
"arn": "arn:aws:sts::ACCT_ID:assumed-role/AWS-SSM-AgentAccess/MY_ROLE_ACCESS_KEY:INSTANCE_ID"
},
"action": "ec2:RunInstances",
"resource": "arn:aws:ec2:us-east-2:ACCT_ID:volume/*",
"conditions": {
"items": [
{
"key": "aws:Resource",
"values": {
"items": [
{
"value": "volume/*"
}
]
}
},
{
"key": "aws:Account",
"values": {
"items": [
{
"value": "ACCT_ID"
}
]
}
},
{
"key": "ec2:AvailabilityZone",
"values": {
"items": [
{
"value": "us-east-2b"
}
]
}
},
{
"key": "ec2:Encrypted",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "ec2:VolumeType",
"values": {
"items": [
{
"value": "gp2"
}
]
}
},
{
"key": "ec2:IsLaunchTemplateResource",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "aws:Region",
"values": {
"items": [
{
"value": "us-east-2"
}
]
}
},
{
"key": "aws:Service",
"values": {
"items": [
{
"value": "ec2"
}
]
}
},
{
"key": "ec2:VolumeID",
"values": {
"items": [
{
"value": "*"
}
]
}
},
{
"key": "ec2:VolumeSize",
"values": {
"items": [
{
"value": "10"
}
]
}
},
{
"key": "ec2:ParentSnapshot",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-2::snapshot/SNAPSHOT_ID"
}
]
}
},
{
"key": "aws:Type",
"values": {
"items": [
{
"value": "volume"
}
]
}
},
{
"key": "ec2:Region",
"values": {
"items": [
{
"value": "us-east-2"
}
]
}
},
{
"key": "aws:ARN",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-2:ACCT_ID:volume/*"
}
]
}
}
]
}
}
}
基本上,如果我正确理解此消息,我可以看到它正在尝试创建 GP2 类型的 10GB 卷,尽管我指定了 GP3 类型的 50GB 卷
根据您的 AMI,root drive name varies。您正在使用 /dev/sda1,但是例如,在亚马逊 linux 2 上它应该是 /dev/xvda:
[
{
"DeviceName": "/dev/xvda",
"Ebs": {
"VolumeSize": 50,
"DeleteOnTermination": false,
"VolumeType": "gp3"
}
}
]
如果您使用 sda1,您的根仍然是 gp2,因为您只是在 xvda.
sda1 的新的独立驱动器