【发布时间】:2017-12-03 06:05:39
【问题描述】:
我正在尝试设置一个 EC2 (RHEL7) 实例,以使用http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/mon-scripts.html 中所述的 perl 脚本将指标推送到 cloudwatch
我收到一条 HTTP 状态 400 消息“请求中包含的安全令牌无效”
实例配置文件与附加了以下策略的实例相关联:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeTags"
],
"Resource": "*"
}
]
}
我正在从实例元数据中提取 AWSAccessKeyId 和 AWSSecretKey,如下所示:
ROLE=$(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/)
CRED=$(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE)
AWSAccessKeyId=$(sed '/AccessKeyId/!d; s/.*:\ \+"\(.\+\)",/\1/g' <<< "$CRED")
AWSSecretKey=$(sed '/SecretAccessKey/!d; s/.*:\ \+"\(.\+\)",/\1/g' <<< "$CRED")
...当我检查它们时,上述变量中设置的值是正确的...
我正在运行脚本以按如下方式推送到 cloudwatch(使用存储在上面的变量中的凭据):
./mon-put-instance-data.pl --mem-util --verbose --aws-access-key-id $AWSAccessKeyId --aws-secret-key $AWSSecretKey
任何想法为什么拒绝我的凭据?
提前致谢
【问题讨论】:
-
您使用的是 IAM 角色吗?如果是这样,您不需要凭据,它会为您处理
标签: linux amazon-web-services amazon-cloudwatch