问题
I have some aws ec2 instances and would like to show ONLY one instance for partners.
I created IAM user for the partner. following is my policy I created. But when partner logins to aws and see ec2 instance view, following message displayed and no instance is displayed.
An error occurred fetching instance data: You are not authorized to perform this operation.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*"
],
"Sid": "Stmt1373378552000",
"Resource": [
"arn:aws:ec2:ap-northeast-1:123456789012:instance/i-12345678"
],
"Effect": "Allow"
}
]
}
(123456789012 is (dummy)my Account Id and i-12345678 is a instance I like to show)
I also tried to specify by tag name like following, but does not work..
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "node-B"
}
},
Does anyone know how to show specific ec2 instance for partners??
回答1:
This is not currently supported.
Only selected Amazon EC2 API actions currently support resource-level permissions:
- Describe calls do not support resource-level permissions
- Start/Stop/Terminate (and others) are supported
The AWS Management Console is using a DescribeInstances call, which cannot be restricted to a specific resource. Hence, the error you received.
See also:
- Supported Resource-Level Permissions for Amazon EC2 API Actions
来源:https://stackoverflow.com/questions/27124539/how-to-show-specific-ec2-instance-for-an-user