AWS (SSM)在UpdateInstanceInformation实例上失败
AWS (SSM)在UpdateInstanceInformation实例上失败
提问于 2020-05-18 20:56:56
我经常收到Cloudwatch授权警报,因为附加到我的UpdateInstanceInformation.实例的角色似乎没有足够的SSM (系统管理器)权限到SageMaker我的理解是,代理amazon-ssm-agent想要访问AWS,但没有这样做。
我的角色具有完整的SSM权限:
{
"Action": [
"ssm:*",
"ssmmessages:*"
],
"Resource": "*",
"Effect": "Allow"
}但错误依然存在:
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "XXXXXXXXXXXXX:SageMaker",
"arn": "arn:aws:sts::XXXXXXXXXXXXX:assumed-role/sagemaker_prod_Notebook_Instance_Role/SageMaker",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "XXXXXXXXXXXXX",
"arn": "arn:aws:iam::XXXXXXXXXXXXX:role/sagemaker_prod_Notebook_Instance_Role",
"accountId": "XXXXXXXXXXXXX",
"userName": "sagemaker_prod_Notebook_Instance_Role"
}
},
"invokedBy": "im.amazonaws.com"
},
"eventSource": "ssm.amazonaws.com",
"eventName": "UpdateInstanceInformation",
"sourceIPAddress": "im.amazonaws.com",
"userAgent": "im.amazonaws.com",
"errorCode": "AccessDenied",
"errorMessage": "An unknown error occurred",
"requestParameters": {
"instanceId": "i-045f627a2d2e469b1",
"agentVersion": "2.3.714.0",
"platformType": "Linux",
"agentName": "amazon-ssm-agent"
},
"eventType": "AwsApiCall"
}有人见过这个吗?
回答 1
Stack Overflow用户
发布于 2020-07-16 18:09:34
这有点晚了,但我也遇到了类似的问题,所以我求助于AWS支持,这似乎有点错误。
我被告知AWS Sag怪人团队默认安装了ssm。Sagemaker笔记本在aws服务帐户中运行,尽管当客户在自己的帐户中指定Sagemaker角色时,该角色不能通过客户指定的角色执行UpdateInstance信息。
支持建议我创建一个生命周期配置,并利用下面的代码示例修复它:https://docs.aws.amazon.com/sagemaker/latest/dg/notebook-lifecycle-config.html https://github.com/aws-samples/amazon-sagemaker-notebook-instance-lifecycle-config-samples/blob/master/scripts/disable-uninstall-ssm-agent/on-start.sh
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/61878860
复制相关文章
相似问题
腾讯云开发者
