我在尝试在 AWS RDS 上创建自定义 Oracle 数据库实例时遇到问题。创建过程失败,并显示以下错误消息,指示缺少针对不同资源执行各种操作的 IAM 权限。然而,具有正确权限集的 IAM(请参阅策略 AWSRDSCustomIamRolePolicyExample)已链接到 RDS 实例角色 (AWSRDSCustomInstanceRole-ap-southeast-1)。
resource "aws_rds_custom_db_engine_version" "ora19-std-cev" {
database_installation_files_s3_bucket_name = aws_s3_bucket.cev_bucket.id
database_installation_files_s3_prefix = "stdcev1/"
engine = "custom-oracle-ee-cdb"
engine_version = "19.example.cdb_cev1"
kms_key_id = aws_kms_key.rds_custom_ora.arn
manifest = <<JSON
{
"databaseInstallationFileNames":["V982063-01.zip"],
"opatchFileNames":["p6880880_190000_Linux-x86-64.zip"],
"psuRuPatchFileNames":["p32126828_190000_Linux-x86-64.zip"],
"otherPatchFileNames":["p29213893_1910000DBRU_Generic.zip","p29782284_1910000DBRU_Generic.zip","p28730253_190000_Linux-x86-64.zip","p29374604_1910000DBRU_Linux-x86-64.zip","p28852325_190000_Linux-x86-64.zip","p29997937_190000_Linux-x86-64.zip","p31335037_190000_Linux-x86-64.zip","p31335142_190000_Generic.zip"]
}
JSON
}
data "aws_rds_orderable_db_instance" "custom-example-oracle" {
engine = "custom-oracle-ee-cdb" # CEV engine to be used
engine_version = "19.example.cdb_cev1" # CEV engine version to be used
license_model = "bring-your-own-license"
storage_type = "gp3"
preferred_instance_classes = ["db.r5.xlarge", "db.r5.2xlarge", "db.r5.4xlarge"]
depends_on = [
aws_rds_custom_db_engine_version.ora19-std-cev
]
}
resource "aws_db_instance_role_association" "db_inst_role_ora19inst-example" {
db_instance_identifier = aws_db_instance.ora19inst-example.identifier
feature_name = "ORA_EXAMPLE_S3_INTEGRATION"
role_arn = aws_iam_role.rds_custom_role.arn
}
resource "aws_db_instance" "ora19inst-example" {
allocated_storage = 500
auto_minor_version_upgrade = false # Custom for Oracle does not support minor version upgrades
custom_iam_instance_profile = "AWSRDSCustomInstanceProfile-ap-southeast-1" # Instance profile is required for Custom for Oracle. See: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-setup-orcl.html#custom-setup-orcl.iam-vpc
backup_retention_period = 7
db_subnet_group_name = "db-oracle-private"
engine = data.aws_rds_orderable_db_instance.custom-example-oracle.engine
engine_version = data.aws_rds_orderable_db_instance.custom-example-oracle.engine_version
identifier = "ee-instance-test-example-1"
instance_class = data.aws_rds_orderable_db_instance.custom-example-oracle.instance_class
kms_key_id = aws_kms_key.rds_custom_ora.arn
license_model = data.aws_rds_orderable_db_instance.custom-example-oracle.license_model
multi_az = false # Custom for Oracle does not support multi-az
password = "avoid-plaintext-passwords"
username = "admin"
storage_encrypted = true
timeouts {
create = "1h"
delete = "3h"
update = "3h"
}
}
resource "aws_iam_instance_profile" "aws_rds_custom_instance_profile" {
name = "AWSRDSCustomInstanceProfile-ap-southeast-1"
role = aws_iam_role.rds_custom_role.name
}
data "aws_iam_policy_document" "assume_rds_role" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
actions = ["sts:AssumeRole"]
}
}
resource "aws_iam_role" "rds_custom_role" {
name = "AWSRDSCustomInstanceRole-ap-southeast-1"
path = "/"
assume_role_policy = data.aws_iam_policy_document.assume_rds_role.json
}
resource "aws_iam_role_policy_attachment" "rds-policy-attachment" {
policy_arn = "arn:aws:iam::<removed>:policy/AWSRDSCustomIamRolePolicyExample"
role = aws_iam_role.rds_custom_role.name
}
{
"Statement": [
{
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation",
"ssm:GetConnectionStatus",
"ssm:DescribeInstanceInformation",
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:PutRetentionPolicy",
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:ap-southeast-1:<removed>:log-group:rds-custom-instance*"
},
{
"Action": [
"s3:putObject",
"s3:getObject",
"s3:getObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::do-not-delete-rds-custom-*/*"
},
{
"Action": "cloudwatch:PutMetricData",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": [
"RDSCustomForOracle/Agent"
]
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "events:PutEvents",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:ap-southeast-1:<removed>:secret:do-not-delete-rds-custom-*"
},
{
"Action": "s3:ListBucketVersions",
"Effect": "Allow",
"Resource": "arn:aws:s3:::do-not-delete-rds-custom-*"
},
{
"Action": [
"ec2:CreateSnapshots"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/AWSRDSCustom": "custom-oracle"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
]
},
{
"Action": "ec2:CreateSnapshots",
"Effect": "Allow",
"Resource": "arn:aws:ec2:*::snapshot/*"
},
{
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Effect": "Allow",
"Resource": "arn:aws:kms:ap-southeast-1:<removed>:key/bfe45637-514d-4ec0-82cd-94cc3ebbdaca"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": [
"CreateSnapshots"
]
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
我收到以下消息错误:
(i)遵循“terraform apply”:
│ Error: waiting for RDS DB Instance (ee-instance-test-example-1) create: unexpected state 'incompatible-create', wanted target 'available, storage-optimization'. last error: %!s(<nil>)
│
│ with aws_db_instance.ora19inst-example,
│ on oracle-rds.tf line 280, in resource "aws_db_instance" "ora19inst-example":
│ 280: resource "aws_db_instance" "ora19inst-example" {
(ii) 在 AWS 控制台上的“日志和事件”选项卡下:
You can't create the DB instance because of incompatible resources. The IAM instance profile role [AWSRDSCustomInstanceRole-ap-southeast-1] is missing the following permissions: EFFECT [Allow] on ACTION(S) [ssm:DescribeAssociation, ssm:DescribeDocument, ssm:GetConnectionStatus, ssm:GetDeployablePatchSnapshotForInstance, ssmmessages:OpenControlChannel, ssm:GetParameters, ssm:ListInstanceAssociations, ssm:PutConfigurePackageResult, ssmmessages:CreateControlChannel, ssm:GetParameter, ssm:UpdateAssociationStatus, ssm:GetManifest, ssmmessages:CreateDataChannel, ssm:PutInventory, ssm:UpdateInstanceInformation, ssm:DescribeInstanceInformation, ssmmessages:OpenDataChannel, ssm:GetDocument, ssm:ListAssociations, ssm:PutComplianceItems, ssm:UpdateInstanceAssociationStatus] for RESOURCE(S) [*], EFFECT [Allow] on ACTION(S) [ec2messages:DeleteMessage, ec2messages:FailMessage, ec2messages:GetEndpoint, ec2messages:AcknowledgeMessage, ec2messages:GetMessages, ec2messages:SendReply] for RESOURCE(S) [*], EFFECT [Allow] on ACTION(S) [logs:CreateLogStream, logs:DescribeLogStreams, logs:PutRetentionPolicy, logs:PutLogEvents, logs:CreateLogGroup] for RESOURCE(S) [arn:aws:logs:ap-southeast-1:<removed>:log-group:rds-custom-instance*], EFFECT [Allow] on ACTION(S) [s3:getObjectVersion, s3:getObject, s3:putObject] for RESOURCE(S) [arn:aws:s3:::do-not-delete-rds-custom-*/*], EFFECT [Allow] on ACTION(S) [cloudwatch:PutMetricData] for RESOURCE(S) [*] with CONDITION(S) [{Condition Key: [cloudwatch:namespace], Type: [StringEquals], Values: [RDSCustomForOracle/Agent]}], EFFECT [Allow] on ACTION(S) [events:PutEvents] for RESOURCE(S) [*], EFFECT [Allow] on ACTION(S) [secretsmanager:GetSecretValue, secretsmanager:DescribeSecret] for RESOURCE(S) [arn:aws:secretsmanager:ap-southeast-1:<removed>:secret:do-not-delete-rds-custom-*], EFFECT [Allow] on ACTION(S) [s3:ListBucketVersions] for RESOURCE(S) [arn:aws:s3:::do-not-delete-rds-custom-*], EFFECT [Allow] on ACTION(S) [ec2:CreateSnapshots] for RESOURCE(S) [arn:aws:ec2:*:*:instance/*, arn:aws:ec2:*:*:volume/*] with CONDITION(S) [{Condition Key: [ec2:ResourceTag/AWSRDSCustom], Type: [StringEquals], Values: [custom-oracle]}], EFFECT [Allow] on ACTION(S) [ec2:CreateSnapshots] for RESOURCE(S) [arn:aws:ec2:*::snapshot/*], EFFECT [Allow] on ACTION(S) [ec2:CreateTags] for RESOURCE(S) [*] with CONDITION(S) [{Condition Key: [ec2:CreateAction], Type: [StringLike], Values: [CreateSnapshots]}]
我使用 AWS CLI 列出了此账户中的实例配置文件(确切的 cmd:aws iam list-instance-profiles),输出显示有一个实例配置文件“AWSRDSCustomInstanceProfile-ap-southeast-1”:
aws iam list-instance-profiles-for-role --role-name "AWSRDSCustomInstanceRole-ap-southeast-1"
{
"InstanceProfiles": [
{
"Path": "/",
"InstanceProfileName": "AWSRDSCustomInstanceProfile-ap-southeast-1",
"InstanceProfileId": "AIPA3FLD2IVP4D2NGYDUD",
"Arn": "arn:aws:iam::<removed>:instance-profile/AWSRDSCustomInstanceProfile-ap-southeast-1",
"CreateDate": "2024-02-07T14:25:28+00:00",
"Roles": [
{
"Path": "/",
"RoleName": "AWSRDSCustomInstanceRole-ap-southeast-1",
"RoleId": "AROA3FLD2IVPXSQN6HUG3",
"Arn": "arn:aws:iam::<removed>:role/AWSRDSCustomInstanceRole-ap-southeast-1",
"CreateDate": "2024-02-07T14:25:27+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
}
]
},
]
}
获取附加到角色“AWSRDSCustomInstanceRole-ap-southeast-1”的策略
aws iam list-attached-role-policies --role-name "AWSRDSCustomInstanceRole-ap-southeast-1"
{
"AttachedPolicies": [
{
"PolicyName": "AWSRDSCustomIamRolePolicyExample",
"PolicyArn": "arn:aws:iam::<removed>:policy/AWSRDSCustomIamRolePolicyExample"
}
]
}
但是,没有列出任何角色为“AWSRDSCustomInstanceRole-ap-southeast-1”的内联策略
aws iam list-role-policies --role-name "AWSRDSCustomInstanceRole-ap-southeast-1"
{
"PolicyNames": []
}
您的错误告诉您需要添加已指定的所有操作。查看本文档中的第 3 步,我相信问题在于您的
assume_role_policy# note the change to: identifiers
data "aws_iam_policy_document" "assume_rds_role" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["rds.amazonaws.com"]
}
actions = ["sts:AssumeRole"]
}
}
resource "aws_iam_role" "rds_custom_role" {
name = "AWSRDSCustomInstanceRole-ap-southeast-1"
path = "/"
assume_role_policy = data.aws_iam_policy_document.assume_rds_role.json
}
Amazon RDS 自定义团队已答复我的支持案例并解决了问题,请参阅下面的失败原因和解决方案:
您的 AWS 账户已列入区域 ap-southeast-1 的允许名单,可以使用现有 SCP 策略创建自定义 Oracle 实例。目前,使用包含条件键的 SCP 策略的客户的角色权限验证存在限制。
在此用例中,AWS 账户被添加到 RDS Custom for Oracle 的许可名单中,该账户被列入许可名单以绕过服务端预检查。此预检查验证由其 IAM 策略定义的用户角色是否拥有创建数据库和运行后续自动化(例如:数据库修补或时间点恢复)所需的所有权限。然而,如果客户设置了任何 SCP,预检查总是会失败并出现漏报。
这与在这种特殊情况下这些 SCP 是否允许或禁止实例创建无关。将账户添加到白名单只是为了禁用客户的预检查以避免漏报,并不会禁用或绕过 SCP。预检查中的这种误报行为是一个缺陷,服务团队正在努力进行长期修复以避免这种情况。如果您想加入其他 AWS 账户或加入其他区域,请联系我们,因为我们需要再次将您列入许可名单。
以下内容旨在解决您之前的疑问并澄清此行为。
此问题仅影响 RDS Custom Oracle 吗? 是的,此问题仅影响 RDS Custom Oracle。
我们知道这个问题出现在哪个版本吗? 此问题不是基于引擎版本,而是基于帐户。如前所述,不幸的是,这是一个服务缺陷,需要内部团队手动干预才能将帐户列入白名单。
请尝试使用与之前相同的 IAM 实例配置文件角色 [AWSRDSCustomInstanceRole-ap-southeast-1] 再次创建 RDS 自定义 Oracle 实例。