问题
I have the following IAM Role:
- AmazonEC2FullAccess
- Custom-Policy
In my custom policy I have:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:ListRoles",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.0.0.0/16"
}
}
}
]
}
Then I create a new EC2 instance and attach this role to it.
Inside the EC2 Instance I try to do:
aws iam list-roles
But I get this error:
An error occurred (AccessDenied) when calling the ListRoles operation: User: arn:aws:sts::XXXXXXX:assumed-role/My-Role/i-XXXXXX is not authorized to perform: iam:ListRoles on resource: arn:aws:iam::XXXXXXX:role/
Do you have an idea why it's not working, please? thanks.
PS: The EC2 instance's IP is 10.0.0.XX
回答1:
The IAM API lives on the Internet. Thus, when it receives your request, it will be coming from the IP address of the instance. IAM never sees the private IP address of the instance.
In theory, the IP address restriction should not be necessary because the role can only be used on instances where it has been assigned. You should put security on who can use the role (iam:PassRole), rather than from where the role can be used.
来源:https://stackoverflow.com/questions/55462180/accessdenied-for-ec2-instance-with-attached-iam-role