使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款

How do I troubleshoot EC2 instance profile errors for IAM roles?

5 分的閱讀內容
0

I want to troubleshoot Amazon Elastic Compute Cloud (Amazon EC2) instance profile errors for AWS Identity and Access Management (IAM) roles.

Short description

When you try to create, update, delete, or attach an instance profile on an Amazon EC2 instance, you might receive one of the following errors:

  • "AccessDenied or unauthorized"
  • "No roles attached to instance profile."
  • "Can't delete entity, remove role from instance profile"
  • "Active association errors on an EC2 instance"
  • "Instance profile already exists"
  • "The requested DurationSeconds exceeds the 1 hour session limit for roles"

Resolution

Use the following troubleshooting steps for the error message that you received.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

"AccessDenied or unauthorized"

This error is usually related to permission issues for an IAM policy that restricts access. To resolve access denied errors or unauthorized errors, use the following solution for your scenario.

Permissions boundaries

If your IAM entities (users or roles) use permissions boundaries, then your IAM policy might not meet specific requirements. For more information, see How can I resolve access denied issues caused by permissions boundaries?

Root user or IAM entity with admin permissions

IAM entities with administrator permissions or the AWS account root user sometimes experience authorization issues in specific scenarios. For more information, see How do I troubleshoot access denied issues for a root user or an admin user?

Cross-account access

If you tried to assume an IAM role in a cross-account, you must have permissions for the IAM account that assumes the IAM role. You must also have permission in the other AWS account that allows the assumption of the IAM role. For more information, see How do I resolve the "AccessDenied" or "Invalid information" error when I tried to assume a cross-account IAM role?

IAM policy permissions

If you tried to perform an API action on an AWS resource and received "AccessDenied or unauthorized" error, then check the permissions for the policy. For more information, see How can I troubleshoot access denied or unauthorized operation errors with an IAM policy?

EC2 instances

If you launched an EC2 instance and received an "AccessDenied" error, then there might be an issue with the instance profile or permissions. Make sure that you have a valid instance profile name, Amazon Resource Name (ARN), and that the instance profile has an IAM role. For more information, see Amazon EC2: When I try to launch an instance with a role, I get an AccessDenied error.

Get data to troubleshoot access denied or unauthorized errors

You can also use Amazon Athena queries or the AWS CLI to get error logs for IAM API call failures. You can use this data for additional troubleshooting with "access denied" or "unauthorized" errors. For more information, see How can I get data to assist in troubleshooting IAM permission access denied or unauthorized errors?

"No roles attached to instance profile"

This error occurs because the EC2 instance profile doesn't have an IAM role attached. Use the AWS Management Console or AWS CLI to attach an IAM role to the EC2 instance profile. For more information, see How do I attach or replace an instance profile on an Amazon EC2 instance?

"Can't delete entity remove role from instance profile"

If you used the AWS CLI command delete-instance-profile to try to delete an instance profile, you might receive an error similar to the following:

"An error occurred (DeleteConflict) when calling the DeleteInstanceProfile operation: Cannot delete entity, must remove roles from instance profile first."

This error occurs because a role is associated with the instance profile.

Important: Before you delete an instance profile, make sure that you don't have any running Amazon EC2) instances.

To remove the instance profile, run the AWS CLI command remove-role-from-instance-profile:

aws iam remove-role-from-instance-profile --instance-profile-name Your_Instance_Profile_Name --role-name Your_Role_Name

Then, run the AWS CLI command delete-instance-profile to delete the profile:

aws iam delete-instance-profile --instance-profile-name Your_Instance_Profile_Name

"Active association errors on an EC2 instance"

This error occurs when you attempt to update an instance profile that has multiple IAM roles associated with it.

To update the instance profile, you must first disassociate all IAM roles associated with it. For more information, see How do I resolve the error "The association iip-assoc-xxxxxxxx is not the active association" on my EC2 instance?

"Instance profile already exists"

This error occurred because when you try to create an instance profile that already exists. To resolve this error, either create an instance profile with a different name or delete the instance profile and recreate it.

Note: If you use the AWS CLI to create the IAM role, then you must also use the AWS CLI to create the instance profile. The IAM role name and instance profile name can be different.

"The requested DurationSeconds exceeds the 1 hour session limit for roles"

This error occurs if you used the AssumeRole API with temporary security credentials to assume an IAM role and the role session exceeded 1 hour. For best practices with role chaining, see Can I increase the duration of the IAM role chaining session?

Related information

Troubleshoot IAM and Amazon EC2

AWS 官方
AWS 官方已更新 2 個月前