当由 CloudFormation 模板创建时,EC2 实例状态检查失败
EC2 Instance Status Check fails when created by CloudFormation template
我在 us-east-1 和 ap-south-1 区域使用以下模板创建了 CloudFormation 堆栈
AWSTemplateFormatVersion: "2010-09-09"
Description: Template for node-aws-ec2-github-actions tutorial
Resources:
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Sample Security Group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
EC2Instance:
Type: "AWS::EC2::Instance"
Properties:
ImageId: "ami-0d2986f2e8c0f7d01" #Another comment -- This is a Linux AMI
InstanceType: t2.micro
KeyName: node-ec2-github-actions-key
SecurityGroups:
- Ref: InstanceSecurityGroup
BlockDeviceMappings:
- DeviceName: /dev/sda1
Ebs:
VolumeSize: 8
DeleteOnTermination: true
Tags:
- Key: Name
Value: Node-Ec2-Github-Actions
EIP:
Type: AWS::EC2::EIP
Properties:
InstanceId: !Ref EC2Instance
Outputs:
InstanceId:
Description: InstanceId of the newly created EC2 instance
Value:
Ref: EC2Instance
PublicIP:
Description: Elastic IP
Value:
Ref: EIP
Stack执行成功,所有资源创建完毕。但不幸的是,一旦初始化 EC2 状态检查,实例状态检查就会失败,我无法使用 SSH 访问实例。
我试过由同一个 IAM 用户手动创建一个实例,效果很好。
这些是我附加到 IAM 用户的策略。
托管策略
- AmazonEC2FullAccess
- AWSCloudFormationFullAccess
内联政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:DeleteRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:DeleteRole",
"iam:UpdateRole",
"iam:PutRolePolicy",
"iam:AddRoleToInstanceProfile"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:CreateBucket",
"s3:DeleteObject",
"s3:DeleteBucket"
],
"Resource": "*"
}
]
}
在此先感谢您的帮助。祝你有美好的一天
回答我自己的问题。问题在于 EBS 块存储设备名称。对于此处指定的 Amazon Linux AMI,设备名称应为 /dev/xvda/
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
VolumeSize: 8
DeleteOnTermination: true
感谢大家的帮助
我在 us-east-1 和 ap-south-1 区域使用以下模板创建了 CloudFormation 堆栈
AWSTemplateFormatVersion: "2010-09-09"
Description: Template for node-aws-ec2-github-actions tutorial
Resources:
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Sample Security Group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
EC2Instance:
Type: "AWS::EC2::Instance"
Properties:
ImageId: "ami-0d2986f2e8c0f7d01" #Another comment -- This is a Linux AMI
InstanceType: t2.micro
KeyName: node-ec2-github-actions-key
SecurityGroups:
- Ref: InstanceSecurityGroup
BlockDeviceMappings:
- DeviceName: /dev/sda1
Ebs:
VolumeSize: 8
DeleteOnTermination: true
Tags:
- Key: Name
Value: Node-Ec2-Github-Actions
EIP:
Type: AWS::EC2::EIP
Properties:
InstanceId: !Ref EC2Instance
Outputs:
InstanceId:
Description: InstanceId of the newly created EC2 instance
Value:
Ref: EC2Instance
PublicIP:
Description: Elastic IP
Value:
Ref: EIP
Stack执行成功,所有资源创建完毕。但不幸的是,一旦初始化 EC2 状态检查,实例状态检查就会失败,我无法使用 SSH 访问实例。
我试过由同一个 IAM 用户手动创建一个实例,效果很好。
这些是我附加到 IAM 用户的策略。
托管策略
- AmazonEC2FullAccess
- AWSCloudFormationFullAccess
内联政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:DeleteRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:DeleteRole",
"iam:UpdateRole",
"iam:PutRolePolicy",
"iam:AddRoleToInstanceProfile"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:CreateBucket",
"s3:DeleteObject",
"s3:DeleteBucket"
],
"Resource": "*"
}
]
}
在此先感谢您的帮助。祝你有美好的一天
回答我自己的问题。问题在于 EBS 块存储设备名称。对于此处指定的 Amazon Linux AMI,设备名称应为 /dev/xvda/
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
VolumeSize: 8
DeleteOnTermination: true
感谢大家的帮助