Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Eventbridge scheduler

0

Hi, I was testing the EventBridge to simply stop or start my EC2 (linux). I have created the roles and policy that are needed but it looks like the event failing to invoke my EC2!! Strange part is, I did the same things in 2 accounts, in our prodcution account it works but when try it in our sandbox server wont start or stop my EC2

this is my policy: { "Version": "2012-10-17", "Statement": [ { "Action": "ec2:StartInstances", "Resource": "arn:aws:ec2:eu-central-1:XXXXXXXXXX:instance/i-07d8c13fXXXXXa0", "Effect": "Allow" } ] }

and this is the Trusted entities of the role:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "scheduler.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:scheduler:eu-central-1:XXXXXXXXX:schedule/default/StartLinuxServer", "aws:SourceAccount": "XXXXXXXXXX" } } } ] }

The SSM has access to the EC2 and have already updated the SSM agent.

any idea, why it works in one account and not in other? the only different is server in working account is in a Private subnet and in sandbox is in default public subnet

Thanks

Themen
KalkulationServerlosAnwendungsintegration
Tags
Amazon EC2Amazon EventBridge
Sprache
English
Shahin
gefragt vor einem Monat138 Aufrufe
2 Antworten
0

Hello.

First of all, you cannot stop EC2 with "ec2:StartInstances" alone.
"ec2:StopInstances" is also required to stop EC2.

By the way, is the ARN set in the trust policy correct?
For example, how about making it available to all EventBridge schedulers as follows?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "scheduler.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

I think the following blog will be helpful for the settings itself.
https://dev.to/aws-builders/easy-setup-for-ec2-stop-jobs-with-amazon-eventbridge-scheduler-4lpg

profile picture
EXPERTE
Riku_Kobayashi
beantwortet vor einem Monat
profile picture
EXPERTE
Adeleke Adebowale J
überprüft vor einem Monat
  • Shahin
    vor einem Monat

    Hi, thank you for your reply, Sorry for the misunderstanding I have also creatred a different role for starting the instance, that's why I post it by mistake. I have 1 more Role that is being used for the for instance, it has AmazonSSMManagedInstanceCore and CloudWatchAgentServerPolicy as permissions and The arn is correct, I just copy it from the instance page. I also change the role by removing the arn, but still the same result.

    Shahin

  • Riku_Kobayashi EXPERTE
    vor einem Monat

    What is the IAM role configured for the EventBridge scheduler? Try checking the EventBridge scheduler IAM role instead of the EC2 IAM role.

0

this is my event policy { "Version": "2012-10-17", "Statement": [ { "Action": "ec2:StartInstances", "Resource": "arn:aws:ec2:eu-central-1:xxxxxxxxxxx45:instance/i-02307ed149403dd12", "Effect": "Allow" } ] }

and its trust relation

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "scheduler.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:scheduler:eu-central-1:XXXXXXXXXXX45:schedule/default/linuxStartSchedule", "aws:SourceAccount": "Xxxxxxxxxxxx45" } } } ] }

I dont think there is a problem with the IAM roles, becuse I use the same roles in my pro enviorment and it works without any problem! when use them in my sandbox account it wont work

Shahin
beantwortet vor einem Monat

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt