用于从快照创建红移集群的 EC2 IAM 策略权限
EC2 IAM policy permissions for creating a redshift cluster from a snapshot
我正在尝试通过 EC2 中的 cli 从快照创建集群:
aws redshift restore-from-cluster-snapshot --cluster-identifier <myNewCluster> --snapshot-identifier snapshotID
我收到错误消息:
An error occurred (UnauthorizedOperation) when calling the RestoreFromClusterSnapshot operation: Access Denied. Please ensure that your IAM Permissions allow this operation.
在 EC2 角色中,我正在使用具有以下设置的策略:
政策对所有红移资源开放:
"Statement": [
{
"Action": [
"s3:*",
"redshift:*",
"logs:*",
"iam:*",
"ec2:*"
],
"Effect": "Allow",
"Resource": "*",
"Sid": ""
}
该角色还有一个边界,包括这些权限:
{ "Effect": "Allow",
"Action": [
"redshift:Describe*",
"redshift:List*",
"redshift:View*",
"redshift:Accept*",
"redshift:Cancel*",
"redshift:Create*",
"redshift:*Tags",
"redshift:ModifyClusterM*",
"redshift:ModifySa*"
],
"Resource": "*"
{
"Effect": "Allow",
"Action": [
"redshift:RestoreFromClusterSnapshot"
],
"Resource": [
"arn:aws:redshift:us-west-1:123456789012:cluster:*",
"arn:aws:redshift:us-west-1:123456789012:snapshot:*/*"
]
}
这些都在同一个帐户中。描述、删除等工作正常,但从快照创建集群失败并出现上述错误。
我检查了这个答案,但我仍然收到我正在使用 EC2 而不是用户的错误。
您正在使用权限边界阻止自己。
根据 AWS 文档:"A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity"。这意味着它不会自行授予任何权限,而是为给定的 IAM 角色或 IAM 用户创建阈值。
对于您的情况,您可以执行以下操作之一来 restore a Redshift cluster from a snapshot from your EC2 instance using AWS CLI:
a) 完全删除权限边界
此解决方案最简单、最快捷,也许足以满足您当前的需求。尽管如此,这也是最不安全的一种。它让您的 EC2 扮演非常宽松的角色——在生产环境中不推荐这样做,因为它不遵守 the principle of least privilege.
b) 使用缺失的 EC2 操作更新权限边界
您的权限边界遗漏了一些与 EC2 相关的操作。如果您将其更新为以下内容,它将起作用:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeInternetGateways",
"redshift:Describe*",
"redshift:List*",
"redshift:View*",
"redshift:Accept*",
"redshift:Cancel*",
"redshift:Create*",
"redshift:*Tags",
"redshift:ModifyClusterM*",
"redshift:ModifySa*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"redshift:RestoreFromClusterSnapshot"
],
"Resource": [
"arn:aws:redshift:us-west-1:123456789012:cluster:*",
"arn:aws:redshift:us-west-1:123456789012:snapshot:*/*"
]
}
]
}
(我从 AWS-managed AmazonRedshiftFullAccess 策略中获取了缺失的权限,并在有和没有它们的情况下验证了您的 use-case。)
c) 删除权限边界并收紧 IAM 角色
如果权限边界的使用不是硬性要求,您可以从您的 EC2 角色中删除权限边界,并将当前角色的权限换成我在 b)[=39 点中列出的权限=].
我正在尝试通过 EC2 中的 cli 从快照创建集群:
aws redshift restore-from-cluster-snapshot --cluster-identifier <myNewCluster> --snapshot-identifier snapshotID
我收到错误消息:
An error occurred (UnauthorizedOperation) when calling the RestoreFromClusterSnapshot operation: Access Denied. Please ensure that your IAM Permissions allow this operation.
在 EC2 角色中,我正在使用具有以下设置的策略: 政策对所有红移资源开放:
"Statement": [
{
"Action": [
"s3:*",
"redshift:*",
"logs:*",
"iam:*",
"ec2:*"
],
"Effect": "Allow",
"Resource": "*",
"Sid": ""
}
该角色还有一个边界,包括这些权限:
{ "Effect": "Allow",
"Action": [
"redshift:Describe*",
"redshift:List*",
"redshift:View*",
"redshift:Accept*",
"redshift:Cancel*",
"redshift:Create*",
"redshift:*Tags",
"redshift:ModifyClusterM*",
"redshift:ModifySa*"
],
"Resource": "*"
{
"Effect": "Allow",
"Action": [
"redshift:RestoreFromClusterSnapshot"
],
"Resource": [
"arn:aws:redshift:us-west-1:123456789012:cluster:*",
"arn:aws:redshift:us-west-1:123456789012:snapshot:*/*"
]
}
这些都在同一个帐户中。描述、删除等工作正常,但从快照创建集群失败并出现上述错误。
我检查了这个答案
您正在使用权限边界阻止自己。
根据 AWS 文档:"A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity"。这意味着它不会自行授予任何权限,而是为给定的 IAM 角色或 IAM 用户创建阈值。
对于您的情况,您可以执行以下操作之一来 restore a Redshift cluster from a snapshot from your EC2 instance using AWS CLI:
a) 完全删除权限边界
此解决方案最简单、最快捷,也许足以满足您当前的需求。尽管如此,这也是最不安全的一种。它让您的 EC2 扮演非常宽松的角色——在生产环境中不推荐这样做,因为它不遵守 the principle of least privilege.
b) 使用缺失的 EC2 操作更新权限边界
您的权限边界遗漏了一些与 EC2 相关的操作。如果您将其更新为以下内容,它将起作用:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeInternetGateways",
"redshift:Describe*",
"redshift:List*",
"redshift:View*",
"redshift:Accept*",
"redshift:Cancel*",
"redshift:Create*",
"redshift:*Tags",
"redshift:ModifyClusterM*",
"redshift:ModifySa*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"redshift:RestoreFromClusterSnapshot"
],
"Resource": [
"arn:aws:redshift:us-west-1:123456789012:cluster:*",
"arn:aws:redshift:us-west-1:123456789012:snapshot:*/*"
]
}
]
}
(我从 AWS-managed AmazonRedshiftFullAccess 策略中获取了缺失的权限,并在有和没有它们的情况下验证了您的 use-case。)
c) 删除权限边界并收紧 IAM 角色
如果权限边界的使用不是硬性要求,您可以从您的 EC2 角色中删除权限边界,并将当前角色的权限换成我在 b)[=39 点中列出的权限=].