运行 aws ec2 run-instances 时指定 ec2 实例的卷类型
我想在启动实例时指定 GP3 作为根 EBS 卷的卷类型。这是我运行的命令
aws ec2 run-instances \
--region us-east-2 \
--image-id ami-0e361731ae5aacece \
--instance-type c4.large \
--key-name my-key \
--block-device-mappings file://block-device-mappings.json \
--placement file://placement.json \
--monitoring file://monitoring.json \
--disable-api-termination \
--monitoring file://monitoring.json \
--instance-initiated-shutdown-behavior terminate \
--network-interfaces file://network-interfaces.json \
--iam-instance-profile file://iam-instance-profile.json \
--ebs-optimized \
--tag-specifications file://tag-specifications.json
下面是我的 block-device-mappings.json 的内容
[
{
"DeviceName": "/dev/sda1",
"Ebs": {
"VolumeSize": 50,
"DeleteOnTermination": false,
"VolumeType": "gp3"
}
}
]
但是当我运行上述命令时,它失败了,因为我使用不允许创建具有 GP2 卷类型的 EC2 实例的公司帐户。尽管明确指定了 GP3,但为什么不使用 GP3 作为卷类型?
编辑1:
这是我解码编码失败消息后收到的错误消息(请注意,我已从 PrincipalArn 对象中删除了一些项目,并在必要的帐户 ID 等位置添加了虚拟值)
{
"allowed": false,
"explicitDeny": true,
"matchedStatements": {
"items": [
{
"statementId": "RestrictEC2Volume",
"effect": "DENY",
"principals": {
"items": [
{
"value": "MY_ROLE_ACCESS_KEY"
}
]
},
"principalGroups": {
"items": []
},
"actions": {
"items": [
{
"value": "ec2:RunInstances"
},
{
"value": "ec2:CreateVolume"
}
]
},
"resources": {
"items": [
{
"value": "arn:aws:ec2:*:*:volume/*"
}
]
},
"conditions": {
"items": [
{
"key": "ec2:VolumeType",
"values": {
"items": [
{
"value": "gp2"
}
]
}
},
{
"key": "aws:PrincipalArn",
"values": {
"items": [
{
"value": "arn:aws:sts::12345678:assumed-role/EMR_DefaultRole/CCSSession"
},
{
"value": "arn:aws:sts::4567890:assumed-role/EMR_DefaultRole/CCSSession"
},
{
"value": "arn:aws:iam::3456789:role/EMR_DefaultRole"
},
{
"value": "arn:aws:iam::4567890:role/EMR_DefaultRole"
},
{
"value": "arn:aws:sts::567890876:assumed-role/EMR_DefaultRole/CCSSession"
},
{
"value": "arn:aws:iam::567890876:role/EMR_DefaultRole"
},
{
"value": "arn:aws:iam::234567854:role/EMR_DefaultRole"
},
{
"value": "arn:aws:sts::234567854:assumed-role/EMR_DefaultRole/CCSSession"
},
]
}
}
]
}
}
]
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "MY_ROLE_ACCESS_KEY:INSTANCE_ID",
"arn": "arn:aws:sts::ACCT_ID:assumed-role/AWS-SSM-AgentAccess/MY_ROLE_ACCESS_KEY:INSTANCE_ID"
},
"action": "ec2:RunInstances",
"resource": "arn:aws:ec2:us-east-2:ACCT_ID:volume/*",
"conditions": {
"items": [
{
"key": "aws:Resource",
"values": {
"items": [
{
"value": "volume/*"
}
]
}
},
{
"key": "aws:Account",
"values": {
"items": [
{
"value": "ACCT_ID"
}
]
}
},
{
"key": "ec2:AvailabilityZone",
"values": {
"items": [
{
"value": "us-east-2b"
}
]
}
},
{
"key": "ec2:Encrypted",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "ec2:VolumeType",
"values": {
"items": [
{
"value": "gp2"
}
]
}
},
{
"key": "ec2:IsLaunchTemplateResource",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "aws:Region",
"values": {
"items": [
{
"value": "us-east-2"
}
]
}
},
{
"key": "aws:Service",
"values": {
"items": [
{
"value": "ec2"
}
]
}
},
{
"key": "ec2:VolumeID",
"values": {
"items": [
{
"value": "*"
}
]
}
},
{
"key": "ec2:VolumeSize",
"values": {
"items": [
{
"value": "10"
}
]
}
},
{
"key": "ec2:ParentSnapshot",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-2::snapshot/SNAPSHOT_ID"
}
]
}
},
{
"key": "aws:Type",
"values": {
"items": [
{
"value": "volume"
}
]
}
},
{
"key": "ec2:Region",
"values": {
"items": [
{
"value": "us-east-2"
}
]
}
},
{
"key": "aws:ARN",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-2:ACCT_ID:volume/*"
}
]
}
}
]
}
}
}
基本上,如果我正确理解此消息,我可以看到它正在尝试创建 GP2 类型的 10GB 卷,尽管我已指定 GP3 类型的 50GB 卷
I want to specify GP3 as the volume type of my root EBS volume as I launch the instance. This is the command that I ran
aws ec2 run-instances \
--region us-east-2 \
--image-id ami-0e361731ae5aacece \
--instance-type c4.large \
--key-name my-key \
--block-device-mappings file://block-device-mappings.json \
--placement file://placement.json \
--monitoring file://monitoring.json \
--disable-api-termination \
--monitoring file://monitoring.json \
--instance-initiated-shutdown-behavior terminate \
--network-interfaces file://network-interfaces.json \
--iam-instance-profile file://iam-instance-profile.json \
--ebs-optimized \
--tag-specifications file://tag-specifications.json
Below is the content of my block-device-mappings.json
[
{
"DeviceName": "/dev/sda1",
"Ebs": {
"VolumeSize": 50,
"DeleteOnTermination": false,
"VolumeType": "gp3"
}
}
]
This documentation was used when creating the above JSON
But when I run the above command, it fails because I am using a corporate account which does not allow creating EC2 instances with GP2 volume type. Why is GP3 not being used as the volume type although it is explicitly specified?
EDIT 1:
This is the error message that I get after I decode the encoded failure message (note that I have removed some items from the PrincipalArn object and added dummy values where necessary account id etc.)
{
"allowed": false,
"explicitDeny": true,
"matchedStatements": {
"items": [
{
"statementId": "RestrictEC2Volume",
"effect": "DENY",
"principals": {
"items": [
{
"value": "MY_ROLE_ACCESS_KEY"
}
]
},
"principalGroups": {
"items": []
},
"actions": {
"items": [
{
"value": "ec2:RunInstances"
},
{
"value": "ec2:CreateVolume"
}
]
},
"resources": {
"items": [
{
"value": "arn:aws:ec2:*:*:volume/*"
}
]
},
"conditions": {
"items": [
{
"key": "ec2:VolumeType",
"values": {
"items": [
{
"value": "gp2"
}
]
}
},
{
"key": "aws:PrincipalArn",
"values": {
"items": [
{
"value": "arn:aws:sts::12345678:assumed-role/EMR_DefaultRole/CCSSession"
},
{
"value": "arn:aws:sts::4567890:assumed-role/EMR_DefaultRole/CCSSession"
},
{
"value": "arn:aws:iam::3456789:role/EMR_DefaultRole"
},
{
"value": "arn:aws:iam::4567890:role/EMR_DefaultRole"
},
{
"value": "arn:aws:sts::567890876:assumed-role/EMR_DefaultRole/CCSSession"
},
{
"value": "arn:aws:iam::567890876:role/EMR_DefaultRole"
},
{
"value": "arn:aws:iam::234567854:role/EMR_DefaultRole"
},
{
"value": "arn:aws:sts::234567854:assumed-role/EMR_DefaultRole/CCSSession"
},
]
}
}
]
}
}
]
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "MY_ROLE_ACCESS_KEY:INSTANCE_ID",
"arn": "arn:aws:sts::ACCT_ID:assumed-role/AWS-SSM-AgentAccess/MY_ROLE_ACCESS_KEY:INSTANCE_ID"
},
"action": "ec2:RunInstances",
"resource": "arn:aws:ec2:us-east-2:ACCT_ID:volume/*",
"conditions": {
"items": [
{
"key": "aws:Resource",
"values": {
"items": [
{
"value": "volume/*"
}
]
}
},
{
"key": "aws:Account",
"values": {
"items": [
{
"value": "ACCT_ID"
}
]
}
},
{
"key": "ec2:AvailabilityZone",
"values": {
"items": [
{
"value": "us-east-2b"
}
]
}
},
{
"key": "ec2:Encrypted",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "ec2:VolumeType",
"values": {
"items": [
{
"value": "gp2"
}
]
}
},
{
"key": "ec2:IsLaunchTemplateResource",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "aws:Region",
"values": {
"items": [
{
"value": "us-east-2"
}
]
}
},
{
"key": "aws:Service",
"values": {
"items": [
{
"value": "ec2"
}
]
}
},
{
"key": "ec2:VolumeID",
"values": {
"items": [
{
"value": "*"
}
]
}
},
{
"key": "ec2:VolumeSize",
"values": {
"items": [
{
"value": "10"
}
]
}
},
{
"key": "ec2:ParentSnapshot",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-2::snapshot/SNAPSHOT_ID"
}
]
}
},
{
"key": "aws:Type",
"values": {
"items": [
{
"value": "volume"
}
]
}
},
{
"key": "ec2:Region",
"values": {
"items": [
{
"value": "us-east-2"
}
]
}
},
{
"key": "aws:ARN",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-2:ACCT_ID:volume/*"
}
]
}
}
]
}
}
}
Basically, if I understand this message correctly, I can see that it is trying to create a 10GB volume with type GP2 although I have specified 50GB volume of type GP3
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
根据您的 AMI,根驱动器名称各不相同。您正在使用
/dev/sda1,但例如,在 amazon linux 2 上它应该是/dev/xvda:如果您使用
sda1,您的根目录仍然是 gp2,因为您只是在xvda旁边创建了名为sda1的新的独立驱动器。Depending on your AMI, the root drive name varies. You are using
/dev/sda1, but for example, on amazon linux 2 it should be/dev/xvda:If you use
sda1, your root is still gp2, as you just create new, separate drive calledsda1alongsidexvda.