如何为临时用户分配策略? [英] How to assign a policy to adhoc user?
问题描述
具有交叉帐户角色 someaccountrole
,我可以访问AWS帐户 xyz
。
With cross account role someaccountrole
, I have access to aws account xyz
.
案例1
要在帐户 xyz
中创建堆栈,我们通过控制台上传Cloudformation文件。
To create a stack in account xyz
, we upload the Cloudformation file through console.
在事件
选项卡中的堆栈创建过程中,我们看到了第一个事件,如下所示:
Amidst stack creation in Events
tab, we see the very first event, as shown below:
案例2
我们在 xyz
帐户中创建EC2实例。
We create EC2 instance in xyz
account.
使用< a href = https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-cli-command-reference-sam-deploy.html rel = nofollow noreferrer> sam部署,其中 sam deploy
是 aws cloudformation deploy
的包装,我们在EC2的命令下运行,以创建堆栈:
Using sam deploy, where sam deploy
is a wrapper of aws cloudformation deploy
, we run below command from EC2, for stack creation:
aws cloudformation deploy --template-file cfntemplate.yml --stack-name somestack-test --region us-east-1
在堆栈创建过程中,我们看到了类似的事件(如下所示):
Amidst stack creation, we see the similar event created (as shown below):
在情况2,用户是: arn:aws:sts :: $$ {AccountId}:assumed-role / Autodeploy / i-0000000cc4
,我们在其中创建了自动部署
角色并分配给EC2。该用户在堆栈创建完成后消失。
In case 2, user is: arn:aws:sts::${AccountId}:assumed-role/Autodeploy/i-0000000cc4
, where we created Autodeploy
role and assigned to EC2. This user disappears after stack creation is complete.
但是在情况2 中,用户( i-0000000cc4
)需要权限才能执行以下操作,与情况1 不同:
But in case 2, user(i-0000000cc4
) need permission to perform following operations, unlike case 1:
{
"Action": [
"cloudformation:CreateStack",
"cloudformation:CreateChangeSet",
"cloudformation:CreateUploadBucket",
"cloudformation:ExecuteChangeSet",
"cloudformation:DeleteStack",
"cloudformation:Describe*",
"cloudformation:UpdateStack"
],
"Resource": [
"arn:aws:cloudformation:us-east-1:${AccountId}:stack/somestack*"
],
"Effect": "Allow"
}
否则,事件
选项卡如下错误2:
otherwise, Events
tab gives below error in case 2:
User: arn:aws:sts::${AccountId}:assumed-role/Autodeploy/i-0000000cc4
is not authorized to perform: cloudformation:CreateChangeSet on resource:
arn:aws:cloudformation:us-east-1:${AccountId}:stack/somestack-test
1)在第一种情况下,创建堆栈的权限为 someaccountrole
。但是在第2种情况下,为什么通过AWS CLI创建堆栈需要堆栈创建权限?
1) In case 1, permissions are given as someaccountrole
for stack creation. but in case 2, Why stack creation through AWS CLI require stack creation permission?
2)如何为这种临时会话资源分配一个内联策略(短期)( i-0000000cc4
)改为EC2?
2) How to assign an inline policy(short living) to such temporary session resource(i-0000000cc4
) instead to an EC2??
推荐答案
1)在情况1中,将权限作为堆栈创建的权限。但是在情况2中,为什么通过AWS CLI创建堆栈需要堆栈创建权限?
1) In case 1, permissions are given as someaccountrole for stack creation. but in case 2, Why stack creation through AWS CLI require stack creation permission?
情况1中的堆栈由您的角色创建使用 Permissions 堆栈选项指定,请参见[1]。此 AWS身份和访问管理(IAM)服务角色通常具有上面列出的必需的 cloudformation:...
权限。
The stack in case 1 is created by the role you specify with the Permissions stack option, see [1]. This AWS Identity and Access Management (IAM) service role usually has the required cloudformation:...
permissions you listed above.
2)如何向这种临时会话资源(i-0000000cc4)而不是向EC2分配内联策略(短期)?
2) How to assign an inline policy(short living) to such temporary session resource(i-0000000cc4) instead to an EC2??
将策略分配给EC2实例的实例配置文件是正确的!
Assigning the policy to the EC2 instance's instance profile is correct!
如果要从EC2实例运行AWS CLI命令,并想使用Instance Metadata Service验证CLI会话,则必须附加所需的权限作为通过实例配置文件附加到您的EC2实例的角色的串联策略。
If you want to run an AWS CLI command from the EC2 instance and you want to use the Instance Metadata service to authenticate your CLI session, you have to attach the required permissions as inline policy of the role which is attached to your EC2 instance via the instance profile.
有关实例元数据服务的更多信息,请参见[2] [3]。有关说明这些概念的非正式但详尽的博客文章,请参见[4]。
For more information about the Instance Metadata Service, see [2][3]. For an unofficial but thorough blog post which explains the concepts well, see [4].
[ 1] https://docs.aws。 amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-add-tags.html
[2] https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-metadata.html
[3] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials
[4] https:/ / bl og.gruntwork.io/authenticating-to-aws-with-instance-metadata-b6d812a86b40
这篇关于如何为临时用户分配策略?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!