ListAssociation 的 AWS Session Manager 异常
Posted
技术标签:
【中文标题】ListAssociation 的 AWS Session Manager 异常【英文标题】:AWS Session Manager Exception for ListAssociation 【发布时间】:2020-09-05 02:05:38 【问题描述】:在 AWS 上对会话管理器进行健康检查时遇到以下错误:
amazon-ssm-agent[17614]: 2020-05-19 12:57:35 ERROR [MessagingDeliveryService] [Association] Unable to load instance associations, unable to retrieve associations unable to retrieve associations AccessDeniedException: User: arn:aws:sts::395456465418:assumed-role/SessionManagerInstanceProfile/i-02c8c2ae1dce2ce84 is not authorized to perform: ssm:ListAssociations on resource: arn:aws:ssm:ap-southeast-1:395456465418:*
相信这是由于为实例 IAM 策略授予的权限不足造成的。但是为了解决这个错误,我应该授予什么额外的访问权限?
以下是从 AWS 文档复制的当前内联策略。
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
,
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": "*"
,
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::ec2-sessionmanager-logs"
,
"Effect": "Allow",
"Action": [
"s3:GetEncryptionConfiguration"
],
"Resource": "*"
,
"Effect": "Allow",
"Action": "kms:GenerateDataKey",
"Resource": "*"
]
【问题讨论】:
【参考方案1】:错误信息提示:
无权执行:ssm:ListAssociations
动作:
授予列出指定 SSM 文档或托管实例的关联的权限
因此,策略应包含:ssm:ListAssociations。目前,在您在问题中发布的政策中,不允许此类操作。
【讨论】:
以上是关于ListAssociation 的 AWS Session Manager 异常的主要内容,如果未能解决你的问题,请参考以下文章