那些遇到过的问题

小编vku*_*hyn的帖子

AWS ssm:SendCommand with SNS - 限制性 IAM 策略

我正在尝试创建一个限制性 SSM 角色 IAM 策略,该策略能够在 SendCommand 命令执行失败时发送 SNS 通知。我目前的以下策略为我提供“AccessDenied”,没有其他信息(占位符已替换):

{
  "Statement": {
    "Effect": "Allow",
    "Action": [ "ssm:SendCommand" ],
    "Resource": [
      "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*",
      "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:document/${DocumentName}",
      "arn:aws:s3:::${S3BucketName}",
      "arn:aws:s3:::${S3BucketName}/*",
      "arn:aws:iam::${AWS::AccountId}:role/${RoleThatHasSNSPublishPerms}",
      "arn:aws:sns:${AWS::RegionId}:${AWS::AccountId}:${SNSTopicName}"
    ]
  }
}
Run Code Online (Sandbox Code Playgroud)

我还拥有 ${RoleThatHasSNSPublishPerms} 的 iam::PassRole 权限。我以这种方式使用 python boto3 从 lambda 调用它:

        ssm = boto3.client('ssm')
        ssm.send_command(
            InstanceIds = [ instance_id ],
            DocumentName = ssm_document_name,
            TimeoutSeconds = 300,
            OutputS3Region = aws_region,
            OutputS3BucketName = output_bucket_name,
            OutputS3KeyPrefix = ssm_document_name,
            ServiceRoleArn = ssm_service_role_arn,
            NotificationConfig = {
                'NotificationArn': sns_arn,
                'NotificationEvents': ['TimedOut', 'Cancelled', 'Failed'],
                'NotificationType': 'Command'
            }
        )
Run Code Online (Sandbox Code Playgroud)

我知道问题出在我的 …

amazon-web-services amazon-sns amazon-iam aws-lambda aws-ssm

vku*_*hyn
2018 11-06
5
推荐指数
1
解决办法
1275
查看次数

标签 统计

amazon-iam ×1

amazon-sns ×1

amazon-web-services ×1

aws-lambda ×1

aws-ssm ×1