AWS IAM 执行角色无权在 EC2 上为特定 VPC 调用 CreateNetworkInterface

Posted

技术标签:

【中文标题】AWS IAM 执行角色无权在 EC2 上为特定 VPC 调用 CreateNetworkInterface【英文标题】:AWS IAM Execution role does not have permissions to call CreateNetworkInterface on EC2 for a specific VPC 【发布时间】:2021-08-29 11:03:09 【问题描述】:

我收到此错误:Error: Error creating Lambda function: InvalidParameterValueException: The provided execution role does not have permissions to call CreateNetworkInterface on EC2 在尝试使用自定义 Lambda 角色创建具有 IAM 权限的 lambda 时:

  ...
  statement 
    sid = "MyCustomLamdaStatementDescribe"
    actions = [
      "ec2:DescribeNetworkInterfaces",
    ]
    resources = ["*"]
  
  statement 
    sid = "MyCustomLamdaStatementCreateDelete"
    actions = [
        "ec2:AttachNetworkInterface",
        "ec2:CreateNetworkInterface",
        "ec2:DeleteNetworkInterface",
        "ec2:AssignPrivateIpAddresses",
        "ec2:UnassignPrivateIpAddresses",
        "ec2:DescribeVpcs"
    ]
    resources = [
      "*"
    ]
    condition 
      test     = "ArnEquals"
      variable = "ec2:vpc"
      values = [
        "arn:aws:ec2:$var.my_region:$var.my_account_id:vpc/$var.my_vpc_id",
      ]
    
  
  ...

在没有任何条件的情况下创建 lambda 可以完美运行(如 AWS Lambda:The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2 中指出的那样),但我需要该角色能够匹配 VPC(或 ec2:Subnet arn)。

注意:我用ArnEqualsStringEquals 尝试了condition.test。

【问题讨论】:

【参考方案1】:

如果您想将其限制为仅一个 VPC,则必须拆分每个操作。

ec2:DescribeNetworkInterfaces 只能与Resource: * 一起使用,并且没有条件(请参阅docs)。但这本身是相对无害的。其他的可以限制。

这是一个 YAML (CloudFormation) 中的解决方案。 这并不完美。 特别是我不知道如何限制资源或将条件应用于ec2:DeleteNetworkInterface。当我尝试时,我得到了同样的错误。

- Effect: Allow
  Action:
    - 'ec2:CreateNetworkInterface'
  Resource:
    - !Sub 'arn:aws:ec2:$AWS::Region:$AWS::AccountId:security-group/$SecGrp'
    - !Sub 'arn:aws:ec2:$AWS::Region:$AWS::AccountId:subnet/$SubnetA'
    - !Sub 'arn:aws:ec2:$AWS::Region:$AWS::AccountId:subnet/$SubnetB'
    - !Sub 'arn:aws:ec2:$AWS::Region:$AWS::AccountId:subnet/$SubnetC'
  Condition:
    StringEquals:
      'ec2:Vpc': !Sub 'arn:aws:ec2:$AWS::Region:$AWS::AccountId:vpc/$VPC'
- Effect: Allow
  Action:
    - 'ec2:CreateNetworkInterface'
  Resource:
    - !Sub 'arn:aws:ec2:$AWS::Region:$AWS::AccountId:network-interface/*'
    # VPC condition not supported for this type of resource for this action
- Effect: Allow
  Action:
    - 'ec2:DeleteNetworkInterface'
  Resource:
    # I don't know why we need the first
    # the docs say the second is sufficient, but it doesn't work
    - !Sub 'arn:aws:ec2:$AWS::Region:$AWS::AccountId:*'
    - !Sub 'arn:aws:ec2:$AWS::Region:$AWS::AccountId:network-interface/*'
  # the docs say this is supported, but it's not
  # Condition:
  #   StringEquals:
  #     'ec2:Vpc': !Sub 'arn:aws:ec2:$AWS::Region:$AWS::AccountId:vpc/$VPC'

- Effect: Allow
  Action:
    # this action must have resource: * and no conditions
    # cannot be restricted
    - 'ec2:DescribeNetworkInterfaces'
  Resource:
    - '*'
- Effect: Allow
  Action:
    - 'ec2:AssignPrivateIpAddresses'
    - 'ec2:UnassignPrivateIpAddresses'
  Resource:
    - !Sub 'arn:aws:ec2:$AWS::Region:$AWS::AccountId:network-interface/*'

  Condition:
    StringEquals:
      'ec2:Vpc': !Sub 'arn:aws:ec2:$AWS::Region:$AWS::AccountId:vpc/$VPC'

【讨论】:

【参考方案2】:

您可以通过附加以下托管策略来解决此问题:

arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

这里解释:https://www.maxivanov.io/deploy-aws-lambda-to-vpc-with-terraform/#add-lambda-to-the-vpc

【讨论】:

问题是关于如何在将权限限制为仅一个 VPC 的条件下执行此操作。 AWSLambdaVPCAccessExecutionRole 向所有 VPC 授予权限

以上是关于AWS IAM 执行角色无权在 EC2 上为特定 VPC 调用 CreateNetworkInterface的主要内容,如果未能解决你的问题,请参考以下文章

AWS Lambda:提供的执行角色无权调用 EC2 上的 DescribeNetworkInterfaces

(具体资源)AWS Lambda:提供的执行角色无权调用EC2上的DescribeNetworkInterfaces

AWS Cloudformation 角色无权对角色执行 AssumeRole

AWS CodePipeline 角色无权在阶段的“操作”块中对角色执行 AssumeRole

[AWS][安全][S3] IAM 角色授权 EC2 访问 S3

如何为用户显示特定的 ec2 实例